This is something I keep circling around. The host doesn't seem like a thing you could encrypt, because the intermediaries need to know where to send your packets. It seems like https encrypts the headers: http://stackoverflow.com/questions/187655/are-https-headers-...
but does this include the Location header?
The HTTP request itself is encrypted, but the IP packet (including the source and destination IP addresses) is not. SSL/TLS is application level encryption, and if you wanted to encrypt the actual packet, you need to switch to something like IPsec, but even then you need some sort of routing method (which I can't remember).
IPSec can work in many different ways. One of those is to encapsulate the entire packet as the encrypted payload of a new packet, with the new packet having headers in plain text leading to the other end of the IPSec tunnel. That other end will then decrypt and forward as appropriate (this is called a 'tunnel').
Yes.
SSL / TLS happens below HTTP at the socket layer. This is why you couldn't have vhosts's using SSL on a single IP for a very long time (the webserver wouldn't know which certificate to use).