How can I force users to access certain pages such as the shopping cart with HTTPS, while other parts remain in HTTP?
There are several options to redirect users from HTTP to HTTPS and vice versa. With Drupal the Secure Pages module is the easiest option.
You can also redirect users with some .htaccess magic. The following rule redirects the entire site:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP:X-Forwarded-Proto} !=https RewriteRule (.*) https://%{SERVER_NAME}/$1 [redirect=permanent,last] </IfModule>
Note that you MUST check the X-Forwarded-Proto header. Checking if HTTPS enabled will not work as SSL is terminated before it gets to one of our Apache webservers.
A more complex, Drupal specific, example is:
<IfModule mod_rewrite.c> RewriteEngine on # Must NOT be SSL RewriteCond %{HTTP:X-Forwarded-Proto} =https RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} / RewriteCond %{REQUEST_URI} !^/user RewriteCond %{REQUEST_URI} !^/admin RewriteCond %{REQUEST_URI} !^/cart RewriteCond %{REQUEST_URI} !^/checkout RewriteCond %{REQUEST_URI} !^/js RewriteRule (.*) http://%{SERVER_NAME}/$1 [last,redirect=permanent] # MUST be SSL RewriteCond %{HTTP:X-Forwarded-Proto} !=https RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d [or] RewriteCond %{REQUEST_URI} ^/user [or] RewriteCond %{REQUEST_URI} ^/admin [or] RewriteCond %{REQUEST_URI} ^/cart [or] RewriteCond %{REQUEST_URI} ^/checkout RewriteRule (.*) https://%{SERVER_NAME}/$1 [last] </IfModule>
Use this as the basis for your own rule set. Every site will do things slightly differently.