Forcing HTTPS on Apache with strange results

Question

I just bought an SSL cert for my site and I am trying to force HTTPS. It kinda works but not really. I am on Apache using PHP Slim framework for custom routing.

My folder struct

root/
   .htaccess (A)
   php/
   public_html/
     .htaccess (B)

.htaccess (A)

My main htaccess file has these rules

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

When I go to example.com it goes to the secure page. Great!

.htaccess (B)

My public_html file has these rules

<IfModule mod_rewrite.c>
    RewriteEngine on
    #RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule . index.php [QSA,L]
</IfModule>


# Always use https for secure connections
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

Problem:

If I go to http://www.example.com/login,

instead of redirected to https://www.example.com/login,

it redirects to https://www.example.com/index.php

Answer 1

Rules in htaccess-files get's validate from top to bottom. In your htaccess, it first check if the requested resource (/login) exists on the server or not. If it doesn't, it redirects the request to index.php.

It should work if you simply moved the https-check/redirect before the other rule.

<IfModule mod_rewrite.c>
    RewriteEngine on
    #RewriteBase /

    # Always use https for secure connections
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

    # Redirect requests to non existing resources to index.php
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule . index.php [QSA,L]
</IfModule>

I also removed the second RewriteEngine On. Having it once is enough.