We currently have a Tomcat application running with SSL on port 443. Right now we have an apache server that accepts http requests on port 80 and redirects to the Tomcat instance:

<VirtualHost *:80>
    ServerName domain.com
    ServerAlias domain.com
    <LocationMatch "/">
        Redirect permanent / https://domain.com/
    </LocationMatch>
</VirtualHost>

Tomcat is handling SSL, because there's no proxy, just a simple redirect to the SSL port:

    <Connector 
          port="443" maxThreads="200"
          scheme="https" secure="true" SSLEnabled="true"
          keystoreFile="/app/ssl/domain_com.jks" keystorePass="ourpassword"
          clientAuth="false" sslProtocol="TLS"/>

We want to begin using the apache web server as a proxy and additionally, do per-IP redirects to certain apps that should only be used by hosts on a pre-determined IP range. We would also like to redirect IPs that don't match the pre-determined list to a static html page hosted on the apache server.

My first question is: Should I continue to handle SSL on Tomcat's end, or should I use apache with SSL while forwarding to an "unprotected" tomcat port?

Is there any way to redirect to different apps (and potentially hosts) depending on the incoming IP?

thanks, del