In any case, you will certainly need two virtualhosts (because https uses port 443, while http port 80, they can not share the same port by any means), but those two can be configured slightly differently:

• The first one is SSL enabled (runs on port 443), serves the files from the public_html directory.
  
• The second one can be configured two ways:
  
  1. No SSL (runs on port 80), and pointing to the same directory as the first virtualhost;
     
  2. No SSL (runs on port 80), but it points to the subdirectory of the touchscreen application. When you go for this, you can deny all access to the touchscreen application from the first virtualhost.

If you run both virtualhosts in the main directory, you have to take care of denying request some way to the touchscreen application, which might be difficult (see later), but if you go for the second, you can configure a separate name for that virtualhost, and use that name in the touchscreen devices (like touchscreenapplication.example.com). This way the first (SSL enabled) virtualhost would be available to the public, while the second one would be only placed in the touchscreen devices, nobody else would know/use that one.

If you want to protect a directory based on the browser (whatever a browser is in this case), you can use the User-Agent header of the http request IF the browser built into the touchscreen device does send one. Furthermore if that browser is a common one (might be used in other embedded devices), then you may have serious problems with this approach.

Don't know what is possible in your case, but consider the following alternatives:

• http authentication (could be programmed in the touchscreen devices)
  
• ip address filtering (if the touchscreens are on a different network than the other clients)
  
• use a special url when calling the second application, would serve as a kind of login (when that is the first page called in a session, let it access anything, otherwise deny access)
  
• ...
  

Thank you for your detailed reply. Just found out that the device will be physically attached to a machine which has apache running on it. The device's subnet will always be 127.x.x.x/24 (loopback address). Is there a way to config apache to serve web pages to this device with that subnet?

Certainly, with mod_access you can deny access to all access for the touchscreen application except the devices itself, but in the main site you can make a rewrite rule to redirect browsers from this subnet to the touchscreen application.

Or what you can do (and it is actually better), to set up an another virtualhost, which would listen on your own subnet (but not on any of the public addresses), and remove it completely from the normal application.

For example consider the following setup:

# 
# Make Apache listen on the right ip addresses and ports 
Listen your.ip.address 
Listen your.ip.address:443 
Listen 10.0.0.1 
# 
# Tell Apache that it can expect name based virtualhosting on the internet address 
NameVirtualHost your.ip.address 
# 
# Virtualhost for the touchscreen devices (it does not matter what hostname they use in the devices, only the ip address must match) 
<VirtualHost 10.0.0.1> 
ServerName TouchScreen.Application 
DocumentRoot /path/to/the/touchscreen/app 
</VirtualHost> 
# 
# Virtualhost for your other application 
<VirtualHost your.ip.address> 
ServerName www.example.com 
DocumentRoot /path/to/the/normal/app 
</VirtualHost> 
# 
# Virtualhost with SSL support for your other application 
<VirtualHost your.ip.address:443> 
ServerName www.example.com 
DocumentRoot /path/to/the/normal/app 
SSLEngine On 
# ... 
</VirtualHost> 
# 
# Virtualhost for an another website 
<VirtualHost your.ip.address> 
ServerName www.sample.com 
DocumentRoot /path/to/the/www/files 
</VirtualHost>