Interesting. Normally, you're going to be more secure if your machines
are on the same domain and network.
There are 2 ways for Apache to serve as a reverse proxy for Tomcat. One is to use the Apache mod_jk plugin. The other is to use mod_proxy.
I haven't used mod_jk in quite a few years. Although it does have, I believe, some abilities that mod_proxy does not, mod_proxy is the recommended plugin these days.
I think, based on a preliminary view, that you're thinking that you need to use URL rewriting rules to do the proxying. That's not true. Your exact needs are not totally clear, but I'll start with common usage and we can adapt as needed.
First, assume that the Tomcat webapp's public URL might look something like this:
http://app1.coderanch.com/home.jsp . The Tomcat-local URL that would be involved might then look something like this:
http://tomcat-host.altcoderanch.com/app1/home.jsp.
You first would define in Apache, a VirtualHost directive so as to envelope the directives related to app1.coderanch.com.
One of the most important things that you would then place within this directive would be the proxy information. First and foremost, what mechanism you are using: mod_jk or mod_proxy. Note that there used to be a mod_jk2. It was a dead end and anything useful in it was put into mod_jk.
For mod_proxy, you'd use the ProxyPass and ProxyPassReverse directives to set up the linkage AND to do the basic URL rewriting:
caution use ProxyPassReverse with extreme care. If you don't configure properly, email spammers can subvert it to send spam, making you a bad Internet citizen and consuming a lot of your network and computer resources.
For mod_jk, things are more complicated. You have to define a workers.properties file that indicates the hostname/ip and port (usually 8009) of the Tomcat's coyote connector. Since there's no full rewrite
pattern here the way there is with mod_proxy, I think you do have to do a partial Apache rewrite (mod_rewrite_ to inject the Tomcat webapp's context path into the proxied URL, but a quick scan of the docs doesn't make that clear. You
would have to have a JkMount directive, however. JkMount defines a URL path-to-worker mapping. For example:
Then the worker1 definitions in the workers.properties file would determine where the proxy request would be routed. An equivalent would be to define a mount point in the workers.properties, but I don't like that idea because it puts stuff related to the Apache URL in Tomcat definitions instead of in the Apache definitions where all the other Apache URL-related directives go.
As I said, I haven't worked with mod_j in quite a long time. It does tend to be quite confusing and messy compared to mod_proxy if you have the choice.
Mod proxy also has 2 modes. Basic mod_proxy, which just forwards http(s) requests (for example Apache port 80 to Tomcat port 8080) and mod_proxy_ajp, which uses the ajp binary protocol to talk to Tomcat's port 8009.