Finaly we find the problem and hopefully a solution.
We used ajp beetwen our reverse proxy and aggregate and it seem to make our trouble.
Logs were inside Apache and no Tomcat.
[Fri May 18 13:51:17.145934 2018] [http:error] [pid 25763:tid 139674551056128] [client 10.1.1.56:38418] AH02429: Response header name 'Expires:' contains invalid characters, aborting request
or
[Fri May 18 13:59:06.277604 2018] [http:error] [pid 794:tid 139674534270720] [client 10.30.5.20:59606] AH02429: Response header name 'Last-Modified:' contains invalid characters, aborting request
depending the request.
it's similar to this issue https://forum.getodk.org/t/invalid-character-in-last-modified-header-tomcat8-with-odk-aggregate/9162/3
But for us the solution was not possible, unsecuring the proxy is 
added "HttpProtocolOptions unsafe"
So what we do is to use http instead of ajp (that's work directly if the securitychannel in security.properties is set to ANY_CHANNEL, but we use REQUIRES_SECURE_CHANNEL to work with Collect.
So, we change tomcat conf/server.xml to this :
<Connector port="32500" protocol="HTTP/1.1" URIEncoding="UTF-8" proxyName="qualif.psud.nc" proxyPort="443" secure="true" ></Connector>
With that conf tomcat guess connection are secured between himself and the reverse proxy, and he doesn't send redirection. Obviously connections are not secured inside but still secure behind the reverse proxy.
hope this could help anyone.
Maybe it could be nice to make ajp works with the new apache security.
thx