Thank you for the response Mark
So if I undestand your answer properly, the HTTPS connection is not authenticated on the Security server in DMZ.
It looks like it gets just wrapped into AJP13 and sent to the internal connection server.
The risk I am concerned about is that the unauthenticated HTTP (wrapped) request reaches the internal server.
This looks risky if happens something like this: http://www.cvedetails.com/cve/CVE-2012-5978/
An unauthenticated user would be able to get files from an internal server instead of being isolated in DMZ.
Is there a way to mitigate these risks and prevent unathenticated users hitting the internal servers?
May be client SSL certificates?
Thank you