You have to do the following,

1. Go to the $WSO2_HOME/repository/conf and open carbon.xml, and uncomment

   <EnableHTTPAdminConsole>true</EnableHTTPAdminConsole> 
   

2. Disable secure cookie parameter in $WSO2_HOME/repository/conf/tomcat/carbon/WEB-INF/web.xml file as well.

   <session-config> 
    <cookie-config> 
     <secure>false</secure> 
    </cookie-config> 
   </session-config>
   

Assuming the system configuration of David doesn't introduce security issues following should work. (If the load balancers and WSO2 products are in the same private network or VPC there should be no additional security problems)

Note: Following approaches were tested with single tenant (super tenant) scenario only.

1. For the carbon console, the approach Abimaran has suggested should work.
2. For the store component couple of changes are required.

Replace the content in repository/deployment/server/jaggeryapps/store/site/themes/wso2/templates/user/login/redirector.jag with following.

<%
include("/jagg/jagg.jag");
var site = require("/site/conf/site.json");

var tenant = jagg.getTenantDomain();
var queryString = "";

session.put("showLogin", "true");
session.put("redirectToHTTPS", jagg.getHttpsUrl("/site/pages/login.jag")+queryString);
response.sendRedirect(jagg.getHttpsUrl("/site/pages/login.jag") + queryString);
%>

Replace the getHttpsUrl function definition in repository/deployment/server/jaggeryapps/store/jagg/jagg.jag

var getHttpsUrl = function(path, parameters){
    var hostname = "";
    var requestSegments = getRequestSegments();
    var protocol = "https://";
    mod = jagg.module("manager");
    var requestUrl = request.getRequestURL();

    if(requestUrl.indexOf("https://") != -1 ){
        hostname = mod.getHTTPsURL();
        hostname = hostname.replace("https://","");
    } else if (requestUrl.indexOf("http://") != -1 ) {
        hostname = mod.getHTTPURL();
        hostname = hostname.replace("http://","");
        protocol = "http://";
    }

    // if the site is fronted by a proxy server
    if(isReverseProxyEnabled()){
         hostname = site.reverseProxy.host ;
         //if a custom https port is used
         if(site.reverseProxy.hosts_port){
            hostname = hostname + ":" + site.reverseProxy.hosts_port;
         }
    }        

    return protocol + hostname + url(path, parameters);
}

3. For the publisher component, the following change should be done.

repository/deployment/server/jaggeryapps/publisher/site/themes/wso2/templates/user/login/template.jag

replace the part

<%      if(request.isSecure()){

        if(jagg.getUser() != null){
            response.sendRedirect('index.jag');
        }
%>

with

<%      if(true){

        if(jagg.getUser() != null){
            response.sendRedirect('index.jag');
        }
%>

Note: The security totally depends on the system architecture. Additionally, the above configurations are independent. If you need to let https access to all components then do all. For particular one, the respective configuration alone should work.

Hope it helps.