I have certain portion of my site to be behind SSL which is reserved for registered users & want rest of the site which is open to public to be served by just http. Currently it is set up so that all the pages be it public or otherwise are served by https. Also botht he public & non-public content resides under the same webroot.
Can you guys suggest me a way to resolve this so or perhaps a best practice guide? Thanks!
EDIT
We use LAMP stack.
First, be aware that serving mixed content can trigger browser warnings that tell the user that not everything they are seeing is "secure content".
Second, unless you are experiencing performance or latency problems, it's probably not worth the effort to split up your secure and non-secure content. The marginal server load created by SSL is quite small these days compared to 10-12 years ago, and most of the impact is caused by the initial connection negotiation, which is going to happen no matter what, if any part of your site requires SSL.
That said, if you need the performance boost and you are okay with the potential user confusion/annoyance, then I would recommend setting up a separately named host (eg, if your secure website is www.sample.com, register, eg, static.sample.com as a CNAME/alias to that DNS record (or as a separate IP if you are feeling extravagant)), setting up a new VirtualHost in Apache for that name without SSL enabled, and then use that location to store your static content.
If you need directory-by-directory separation of SSL and non-SSL content, the best way to go is to set up a second VirtualHost in Apache listening to port 80 and pointed to the same place your SSL VirtualHost is pointed, and then add redirects for the URIs that you require to be encrypted. For example:
(I obviously left a lot of stuff out, don't try to copy and paste.)
The best practice it to not mix http and https traffic. Mixed content can pose a security vulnerability. An attacker could adjust the non-SSL traffic in a way to access the SSL portion.
Javascript in particular is dangerous. But they could change an image which changes the instructions shown on the page. There have also been image and css vulnerabilities in browsers in the past.
Another discussion is here.
If you really want to though, its quite easy. Have two apache vhosts, one SSL and one not; but otherwise the same. Then in your php code, reference your URLs appropriately.
I this for a lot of my sites. For instance, the site is non-SSL until your login, then its entirely SSL from there.
This pseudo-conf for Apache will do what you require: two virtual hosts, one with SSL, and redirects from the SSL-required path(s) to the HTTPS version of the site.
Once you've given your users a cookie keying to their identity, it's best to keep them on the SSL version of the site, so that their cookie can't be hijacked by malicious users on their unencrypted coffeeshop wireless connection, for example. You have a couple of options for making that work. Either use your application language (eg PHP) to detect the cookie and then redirect to the SSL version of the current page, or you could use mod_rewrite to force SSL when the cookie exists. But that's another question...
Best practice is to force the protected pages to be only accessed via HTTPS and non-HTTP pages to not be accessed via HTTPS. Using a language like PHP you can detect this and redirect the user to the appropriate protocol. You can also set this up via mod_rewrite if need be.
One issue you may notice is that if you serve a page via HTTP and a MITM attack is at play, the attacker can manipulate the HTML and change forms and links to instead go to HTTP so the attacker can still monitor. So even if you force a page to be accessed only via HTTPS the attacker still snooped any sensitive data.
A currently proposed solution to this is HTTP Strict Transport Security which is already in use on some websites. This brings the forcing of HTTPS into the browser so even if a form action was mangled via a MITM the browser won't submit it over HTTP.
If you mix https and http content, client get error "Unauthenticated content warning".
Apache actually makes it hard to mix up content like this - the SSL and non-SSL sites must be defined under seperate vhosts - you just need to make sure the directory trees don't overlap.