How can I force users to access certain pages such as the shopping cart with HTTPS, while other parts remain in HTTP?

There are several options to redirect users from HTTP to HTTPS and vice versa. With Drupal the Secure Pages module is the easiest option.

You can also redirect users with some .htaccess magic. The following rule redirects the entire site:

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteRule (.*) https://%{SERVER_NAME}/$1 [redirect=permanent,last]

</IfModule>

Note that you MUST check the X-Forwarded-Proto header. Checking if HTTPS enabled will not work as SSL is terminated before it gets to one of our Apache webservers.

A more complex, Drupal specific, example is:

<IfModule mod_rewrite.c>
  RewriteEngine on

  # Must NOT be SSL
  RewriteCond %{HTTP:X-Forwarded-Proto} =https
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_URI} /
  RewriteCond %{REQUEST_URI} !^/user
  RewriteCond %{REQUEST_URI} !^/admin
  RewriteCond %{REQUEST_URI} !^/cart
  RewriteCond %{REQUEST_URI} !^/checkout
  RewriteCond %{REQUEST_URI} !^/js
  RewriteRule (.*) http://%{SERVER_NAME}/$1 [last,redirect=permanent]


  # MUST be SSL
  RewriteCond %{HTTP:X-Forwarded-Proto} !=https
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d [or]
  RewriteCond %{REQUEST_URI} ^/user [or]
  RewriteCond %{REQUEST_URI} ^/admin [or]
  RewriteCond %{REQUEST_URI} ^/cart [or]
  RewriteCond %{REQUEST_URI} ^/checkout
  RewriteRule (.*) https://%{SERVER_NAME}/$1 [last]

</IfModule>

Use this as the basis for your own rule set. Every site will do things slightly differently.