This is a description of how to force SSL on the User and Admin pages of Drupal, while allowing non-SSL access to other parts of the site.

There are some caveats to this configuration. It will not force the user back to non-SSL once the user is redirected to a secure page. However, it does not prevent the user from entering a non-SSL URL in the URL box, so long as that URL is not to the "user" or "admin" paths within Drupal. This has the effect that the connection will automatically become SSL-protected when either of these two sections are accessed, and that the session will tend to remain SSL for the rest of the time the site is used during that session. This causes two possibly negative effects.

Firstly, if a user manually changes their URL box entry in their browser to the "http://" equivalent of a location not within the "user" or "admin" spaces, their session will no longer be encypted. Some non-public data could be transferred in cleartext over the browser session. Since the user manually changed the URL box, presumably they understand the risks here and have chosen to accept them.

Secondly, if a user logs into Drupal, their session will become SSL-protected, because they access the "user" section to do so. However, if they then close their browser window or browse to another location, then return to the site, their session will no longer be SSL-protected. This is an unintentional instance of the first example above. As above, there is a possibility that some non-public data could be transferred over the wire in cleartext in this scenario. Of course, were the user to then navigate to the "user" or "admin" sections, their session would from that point become encrypted. This scenario involves a user unwittingly making their session insecure.

The team(s) or individual(s) managing the site are responsible for considering these risks, as well as the associated consequences, and choosing the appropriate course of action.

Here is how to install this configuration, if you choose to continue:

In the httpd-vhosts.conf file, configure your port 80 virtual host as follows:

RewriteEngine On
Redirect /user https://sitename.mit.edu/user
Redirect /admin https://sitename.mit.edu/admin

Enable "Clean URLs" in the web admin interface of Drupal.

Install the "globalredirect" module into the modules directory used for the site you're configuring. For example, if your drupal installation is under /var/www/drupal, then you might use /var/www/drupal/sites/all/modules as the directory to extract the module, so that the module would be located in /var/www/drupal/sites/all/modules/globalredirect, and would be used by all sites. Here is an example, assuming your module is called "globalredirect.tgz" and is located in /usr/local/src:

cd /var/www/drupal/sites/all/modules
tar -xfvz /usr/local/src/globalredirect.tgz

Run update.php on the site from a web browser.

Enable both the "path" and "globalredirect" modules in the Admin interface of Drupal.