Place the folder above webroot,

or add,

RewriteEngine On
RewriteRule . - [F]

in the .htaccess file inside the folder.

"Deny from" has moved from mod_access to mod_authz_host [httpd.apache.org].
It requires "AllowOverride Limit" if you wish to use it in a .htaccess context.
Be sure you've defined an "Order" in which Allow/Deny rules are to be applied.

Jim

Thanks much for the suggestions... The deployment server only lets me access the webroot, so I'm stuck with .htaccess.

.htaccess now reads:

RewriteEngine On
RewriteRule . - [F]
Deny from all

I'm trying to use localhost subdomains, and the relevant <Directory> container now holds:

Options Indexes FollowSymLinks MultiViews +Includes
AllowOverride All Limit
Order allow,deny
allow from all

I haven't observed any changes yet; I hope it's not because I'm forgetting to mention an Achilles' heel.

If you use RewriteRule in .htaccess, you don't need deny in the same file.

Going back to your original attempt:
Deny from all

If a higher-up .htaccess has this in it:
order deny,allow
allow from all

then your
Deny from all
farther down the directory tree will have no effect because the server is processing the deny lines first, then the allow lines, and "allow from all" overrides your "deny from all".

In the subdirectory you want to deny, try using this:

order allow,deny
deny from all

g1smd: Well, neither is working yet so I guess there's no harm in reaffirming it. *shrug*

SteveWh: I'm a bit confused by the directives you gave at your message's end. I put "order deny,allow" in both the <Directory> tag and the .htaccess file... Still no change, and I'm restarting Apache after each modification in case that's necessary.

Thanks.

What is apache2.conf? Is that equivalent to the httpd.conf I'm familiar with?

<Directory></Directory> blocks cannot go in .htaccess.

Note that the two lines I suggested were:
order allow,deny (not order deny,allow)
deny from all

The order is critically important. If you use "order deny,allow" and there is an "allow from all" anywhere that has equal precedence, none of your deny lines will ever work because "allow from all" is processed last and allows everybody.

If still doesn't work, it would seem you must have conflicting commands in a more specific section of your config files (such as <Directory></Directory> <Files></Files> etc.) that are overriding.

If you have a complicated set of directives that might be interfering with each other, this page should help sort them out: [httpd.apache.org...]

-----

When you revise httpd.conf, you need to restart the server.

When you revise .htaccess files, you don't need to restart the server.

[edited by: SteveWh at 9:52 pm (utc) on June 3, 2009]

Yeah, the first time I noticed that change I surmised they just wanted to use the server's more popular name. httpd.conf still exists, but it's empty.

Aha, I read the documentation for the 'order' directive earlier to get clarification, and I interpreted it as the opposite of the intended meaning. But switching them back as you had them (and as the sites-enabled file was) had no effect.

If I have conflicting directives, I can only conclude that they're in here:

# Include generic snippets of statements
Include /etc/apache2/conf.d/

That directory contains files 'charset', 'phpmyadmin.conf', and 'security'. The first two sound uninteresting, and the sum of all uncommented lines in 'security' follows:

ServerTokens Full
ServerSignature On
TraceEnable On

Update: I think the problem is that the sites-enabled directory isn't actually being included... I got a warning about my "NameVirtualHost *:80" directive having no corresponding "VirtualHosts" tag, but the tag is in sites-enabled/000-default. See my other thread [webmasterworld.com] for more details.

[edited by: Jesdisciple at 4:50 am (utc) on June 4, 2009]

Nope, that wasn't it. Trying to resolve my other problem, I cleared my cache and it went away. So did this one, mostly. The /includes directory gave an Error 500 page, and that was a lot better than earlier. Removing the rewrite directives from the .htaccess yielded the appropriate 403 (which I find really weird, but no complaints here).

Thanks, all!