Part of my .htaccess file forces https on certain pages (e.g. when user logs in, enters credit card information, etc.) while forcing http on all other pages. This seems to be the ideal setup for what I need.
However, one of my site's extensions is responsible for generating a credit card processing form. In the form's action url, it has the https url of the web root in it (e.g. https://domain.com/). However, the web root is not one of those pages that the .htaccess forces https on, thus it's forcing a redirect to http. Because of this, the extension is failing because the form is attempting to submit to an https that redirects to http.
What should I do? I don't want users being forced to view a secured page when they don't have to; I'd rather they reap the benefits of caching. And obviously, on secured pages, they need to submit to secured URLs (my site's CMS apparently works in such a way that all form submissions to the web root works just fine). I can't tell the extension to submit to a different URL.
Here's the relevant part of my .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
# Define default protocol for all assets
RewriteRule ^ - [E=protocol:http,E=ssl:%{HTTPS}off]
# Define HTTPS targets, add more cond as required
RewriteCond $1 (payment|sign-in|sign-up) [NC]
RewriteRule (.*) - [E=protocol:https,E=ssl:%{HTTPS}on]
# Rewrite host if necessary and redirect on correct protocol
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ %{ENV:protocol}://%1%{REQUEST_URI} [L,R=301]
# Protocol switch if necessary (host is already correct)
RewriteCond %{ENV:ssl} ^(onoff|offon)
RewriteCond %{REQUEST_URI} !\.(gif|jpe?g|png|css|js)$ [NC]
RewriteRule ^ %{ENV:protocol}://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Finally, process the internal redirect
RewriteCond $1 !\.(gif|jpe?g|png)$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]
</IfModule>
Maybe this could be modified to "don't redirect if it's a form submission?"
In my opinion your optimizing the wrong thing by strictly forcing certain pages to use HTTPS and other to use plain HTTP. Simply redirect everything to HTTPS and be done with it.
The computational cost of HTTPS is negligible in most cases.
Your concern about browser cache with SSL seems unfounded as well.
And my pet peeve: you're better off including your configuration in the main httpd.conf instead of relying on .htaccess files, according to the manual.