I tested this on my apache 2.2.14 instance and it worked fine:
Use the NameVirtualHost directive (to ports.conf):
NameVirtualHost *:443
define your vhosts:
<VirtualHost *:443>
ServerName www.siteA.com
DocumentRoot "/opt/apache22/htdocs/siteA"
SSLCertificateFile "/path/to/my/cert"
SSLCertificateKeyFile "/path/to/my/key"
</VirtualHost>
<VirtualHost *:443>
ServerName www.siteB.com
DocumentRoot "/opt/apache22/htdocs/siteB"
SSLCertificateFile "/path/to/my/cert"
SSLCertificateKeyFile "/path/to/my/key"
</VirtualHost>
I used this link as a resource.
My hosting plan is pay-as-you-go. Will bandwidth cost more for https since it's encrypted? Example: will a 100MB file end up using more than 100MB of bandwidth?
No. The block or stream ciphers that are used by SSL/TLS to encrypt the data in transit will add, at most, a handful of bytes to the file's transfer size.
I understand that http is faster, but is https similar in speed after all the initial server handshake stuff? (note: I am using CDN)
Yes. Encryption takes extra CPU time on the server and on the client, but on modern CPUs the impact is fairly low. As long as your client and server are not CPU-bound, the encrypted transfer will be just about the same speed as unencrypted.
My URL given to download the file will contain a signature, etc. to verify that only the person who purchased can download. Should I use https to keep this signature secure?
Yes, the URL being visited is secured end-to-end from the client to the server by SSL/TLS - the exception here is that the hostname part of the URL is not necessarily secure, but in your case that should not be an issue. As long as the client system is not compromised or using a malicious proxy server, the data is safe in transit.
If I were to use http, would the file transferred be secured from hackers?
No. HTTP traffic is completely in the clear; anyone on the same network segment as the client downloading the file (or the same coffee shop wifi), as well as anyone with access to any of the network infrastructure between the client and server is able to see the full request and full response. SSL also provides additional assurance to the client that the system that they're connecting to is what it says it is, instead of a potential attacker's server. If the data being transferred in the download or the URL to request the download is sensitive, then encrypt it.
Best Answer
This pseudo-conf for Apache will do what you require: two virtual hosts, one with SSL, and redirects from the SSL-required path(s) to the HTTPS version of the site.
Once you've given your users a cookie keying to their identity, it's best to keep them on the SSL version of the site, so that their cookie can't be hijacked by malicious users on their unencrypted coffeeshop wireless connection, for example. You have a couple of options for making that work. Either use your application language (eg PHP) to detect the cookie and then redirect to the SSL version of the current page, or you could use mod_rewrite to force SSL when the cookie exists. But that's another question...