Answered my own question, posting solution here to close the loop: Apparently older versions of the Squid Reverse Proxy package had issues with this. With the current version, you just need to enable the HTTP Reverse Proxy so that it writes the correct cache_peer entries in squid.conf. Then you can create your web servers and set their Protocol to HTTP, and Squid will properly proxy them, SSL terminating at your pfSense. Externally you are presented with the site as HTTPS and your configured pfSense SSL certificate, even though the internal server is actually plain old HTTP port 80 (or whatever port)
Hope this helps someone!