I got some help and was able get the following working:
*.example.com {
tls {
dns cloudflare <redacted>
}
@foo host foo.example.com
reverse_proxy @foo foo.internal-company.com:80 {
transport http {
resolvers 1.1.1.1 1.0.0.1
}
}
@bar host bar.example.com
reverse_proxy @bar bar.internal-company.com:443 {
transport http {
resolvers 1.1.1.1 1.0.0.1
tls_insecure_skip_verify
}
}
}