Assuming that this happens all on one machine, Tomcat can be set to listen only on localhost e.g. 127.0.0.1:8080 in which case SSL from nginx reverse proxy becomes redundant.