If you aren’t going to encrypt the traffic to your server then you should look at the content as public information. If that sounds like a bad idea, then you must encrypt your traffic to prevent passwords from being exposed in clear text.
The service Let’s Encrypt makes quality SSL certificates available to everyone for free. Yes, you have to renew them more often than paid certificates but you can automate that with EFF’s certbot. In fact, once you establish the web proxy in front of Tomcat, securing your traffic with Let’s Encrypt is as easy as running the certbot script if you have a public-facing server. All communication should be over Secure Socket Layer (SSL).
See Configure SSL for a Production Environment.
Note that besides HTTPS traffic (Digital Workspace, Share, WebDAV, ReST API) you need also consider:
- SharePoint Protocol
- IMAPS
- SMTP Inbound TLS
- SMTP Outbound TLS
- FTPS
- LDAPS Connection
- Consider Hazelcast or JGroups Connection (Clustering)