Disclaimer: while I dabble with Apache from time to time, I’m not a professional SysAdmin or Apache guru. The things described below is my own experience, and it should not be considered expert advice, just a staring point. An other way to say it: if you know better, please leave a comment :).
AskApache (a great blog BTW for technical network related stuff – the only negative thing being that sometimes it is too technical :)) has an article about mixing secure (fetched through HTTPS) and non-secure (fetched through HTTP) elements on a page. Usually the result of doing something like this is that the browser displays a warning and/or a broken lock instead of a normal lock. This can scare away security conscious users. Two things you can do to remedy this:
If you host the resources the link goes to, use the HTTPS protocol to link to them. Most of the times people use plain HTTP to link to static elements (like images, style-sheets and so on) because
the encryption in the HTTPS protocol creates an overhead and we want to keep CPU utilization low for our servers. Here are my counter-arguments: modern servers have plenty of CPU power. Also, most (read 99.9%) of modern web browser do multiple requests over the same connection, so that the encryption key is negotiated only once every N minutes (where N is around 15 if I remember right). An other argument would be (if you are using a hosting company): I never seen hosting companies charing by the amount of HTTPS connections made. Finally the big argument: are you ready to loose visitors / sales / whatever your site is about because users mistrusting your site (because of the warnings) to get some little speed and scalability gain?
If the given resources are not hosted by you and are not accessible through a secure connection, you could use mod_proxy to create a virtual proxy to make it seem as the response comes from your server. (You could also simply copy the page / image in question to your local server and serve it up from there, but that includes all kind of copyright problems). Some advantages and disadvantage:
- Advantage: you eliminate the mixed content warning
- Disadvantage: You are using double the bandwidth (because your server first fetches the given resource – thus using downstream bandwidth – then sends it to the client – using upstream bandwidth)
- Advantage: it is seamless for the client
- Disadvantage: you have to have mod_proxy installed. It is not included in the default Apache installation and SysAdmins are not very happy to install it, because it can very well be a security risk it not configured properly
- Advantage: it works with dynamic resources (for which the make-a-copy and serve-it-from-the-local-server wouldn’t work even if you would to resolve somehow the copyright issues)
One final note: the AskApache article talks about hosting videos (Google and YouTube) on a secure page. The interesting thing is that the browser only cares about the fact that the player is loaded through a secure connection, not that the video (loaded by the player) loads through a secure connection. This is done because the browser has no control over the plugins (in this case the Flash player) behavior. The good news is however that because of this if you chose the proxy solution, you don’t have to proxy the entire video, just the player (which is obviously much smaller).