I dont know what load balancer you are using so cannot give a specific config to that, i myself have a public accessible tomcat server through Nginx as it's proxy.
Nginx
upstream websites {
server 192.168.x.x:8080 fail_timeout=0;
}
server {
listen 80;
listen 443 ssl;
server_name www.example.com example.com;
location / {
proxy_pass http://websites/;
include proxy_params;
}
#SSL configuration here
}
I also let Nginx do SSL termination and compression because it is way easier to manage and setup, and if i want to later create loadbalance i can also do that with Nginx so no reason to do it in Tomcat.
https://www.digitalocean.com/community/tutorials/how-to-add-the-gzip-module-to-nginx-on-ubuntu-14-04
https://letsencrypt.org/
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
Than on Tomcat server.xml add a new virtual host for your site if not already present.
<Host name="www.example.com" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Alias>example.com</Alias>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="test_example_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
Than in the manager.xml file for the manager project you can set who can access the manager HTML page, either set it to your public ip address or a jump-host, as i recall as standard only localhost can connect to the HTML manager.
Personally i have deleted the manager project from my own installation to avoid the security issues related to it if not managed correctly and that i didn't need it.
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="192.168.1.*" />
Set a user and password for the manager in tomcat-users.xml and you're good to go.