Deny from all in subdirectory htaccess not overriding file rules in root htaccess

Question

I\'ve got a situation where I\'m trying to deny access to all files in a subdirectory of my website. I have added an htaccess file to this subdirectory and added a deny fro

Answer 1

Order of directives in apache is really not obvious.

You have a complete description of it on the documentation "How the sections are merged".

Here is an excerpt:

The order of merging is:

• (except regular expressions) and .htaccess done simultaneously (with .htaccess, if allowed, overriding )
• (and )
• and done simultaneously
• and done simultaneously

So what happens is that your directive is handled after the Directory ones (as a .htaccess is in fact a Directory directive for the current directory).

It works in your given exemple as theses files directives are in fact nested in the .htaccess Directory directives, and the second File directive is applied after the parent directory one.

You cannot use a directive in the parent, where files from the subdirectory would be excluded, as fileMatch is only working on the file name, and not on the file path. But you could maybe try with a LocationMatch, but it would maybe end in a quite complex one, to forbid also location hacks with dots.

In fact the solution I would use here is a RedirectMatch in the parent folder:

RedirectMatch 403 ^.*\.html$