I have the following settings:
<Server port="8005" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="8080"
maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
useBodyEncodingForURI="true" enableLookups="false"
redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
<Connector port="8009"
enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" />
[channel.socket:localhost:8009]
info=Ajp13 worker, connects to tomcat instance using AJP 1.3 protocol
tomcatId=localhost:8009
Has a website with port 80 that have isapiredirect filter enabled.
My initial guest is "port HTTP80->HTTP8009->HTTPS8443" "port HTTP8080->HTTP8443"
Your AJP Connector (8009) is not HTTP, it uses the AJP protocol
If a clients connects via IIS, the flow will be
IIS Http80 -> Tomcat AJP 8009 or via Https IIS Https443 -> Tomcat AJP 8009
As far as I know the AJP13 protocol does not support encryption of the data involed in IIS to Tomcat communications, but you can set a parameter to let tomcat know that the front webserver is HTTPS so that request.isSecure() returns true.
Your connectors on pour 8080/8443 on tomcat will only be used if you connect directly to tomcat.