Issue with .htaccess redirecting all pages to HTTPS except one

Question

I have the code below in my .htaccess to redirect all pages to https except one (/wc-api/v2), which must NOT use SSL.

It does redirect all pages to https successfully, but if I go to /wc-api/v2, it redirects me to /index.php.

# Custom Redirect 

RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} !^on$
RewriteCond %{REQUEST_URI} !^/wc-api/v2
RewriteRule (.*) https://example.com/$1 [R,L]

# End Custom Redirects 

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

FYI The second block of redirects is required for Wordpress. I also cannot combine them into one single block or Wordpress will overwrite my changes.

C3roe · Accepted Answer

When rewriting is configured in .htaccess context, after your last rule is applied, the whole process starts over again, using the internally rewritten URL as the new “input”, until no more rules match.

That means, when you request /wc-api/v2, it is not rewritten to HTTPS, because it fails your first RewriteCond, and so the rule in the next block rewrites it to /index.php internally.

Now the “next round” starts, with /index.php as input. RewriteCond %{REQUEST_URI} !^/wc-api/v2 now does result in “true”, because the REQUEST_URI is not /wc-api/v2 any more, it is now /index.php. Therefor, the RewriteRule is applied – and you are redirected to https://example.com/index.php

To avoid this, you must add another RewriteCond, which will prevent the rule from being applied for the REQUEST_URI /index.php as well:

RewriteCond %{HTTPS} !^on$
RewriteCond %{REQUEST_URI} !^/wc-api/v2
RewriteCond %{REQUEST_URI} !^/index\.php$
RewriteRule (.*) https://example.com/$1 [R,L]

Issue with .htaccess redirecting all pages to HTTPS except one

Answers (2)

Related Questions