Before we get into "Just show him how to aim the gun" territory ...

My .htaccess file has a lot of stuff that I don't want to change, and other parts that are more fluid.

Parts you don't plan to change don't belong in htaccess; they belong in config. Problem solved ;)

AccessFileName .htaccessA .htaccessB

Not according to the docs: AccessFileName works the same way as, for example, DirectoryIndex, where it grabs the first available option and stops looking.

:: detour to check something ::

Nope, didn't think so. "Include" can't be used in htaccess, so that's out. Now, it can be used inside a <Directory> section-- the same place you'd put your non-changing stuff-- so that's a potential loophole.

Well, what I meant is that I have a bunch of denials in .htaccess that are aimed at well known bad IPs. I don't want to touch those often. There are other things, for example redirects, that I consider kind of fluid. The way I view config is that it's what I don't want to touch ever. I consider that an Apache basic operations file that I consider pretty much "hands off" once I have things working (as in, setting AccessFileName).

I'm not sure what you mean by grabbing the first option and then stopping looking. That is, if .htaccessA says deny access to 111.222.333.444, then I don't really care what it says about that IP in .htaccessB. Are you saying that .htaccessA just takes precedence over .htaccessB in this configuration? Works for me.

I see it written up where AccessFileName can point to two files. The default is .htacess. That's what happens if there is no AccessFileName. So what's AccessFileName supposed to be doing with those two files if not considering both as .htaccess files?

I have three....

.htaccess.steady
.htaccess.flex
.htaccess

"steady" is the parts I don't change
"flex" is the parts I change, and change often (sometimes reading in from a database, etc)

.htaccess is the other two files merged, thus just one .htaccess

But I do this only for the anal-retentive type client who just has to track and tap all kinds of things

So you maintain two separate files, like I'm wanting to do, but just concatenate them into a third and post just that one? I guess that's another option. It certainly protects the "steady" stuff.

.htaccess is the other two files merged, thus just one .htaccess

How/when are "the other two files merged"?

I'm not sure what you mean by grabbing the first option and then stopping looking

If the server finds a file called htaccessA, it will not bother to look for htaccessB, in much the same way that once it finds index.html, it doesn't care whether there is also an index.php or, for that matter, a main.jsp.

The "include" loophole is that you could keep your fluid stuff in a supplementary file, which you edit at will, so it's updated every time you restart the server. That's assuming, of course, that your supplementary file will never ever contain typos or syntax errors, or you'll bring down the whole server. Keep in it htaccess and you'll only bring down one site ;)

Edit: For comparison purposes, here is what I personally do, in a setup where I can only use htaccess. In my userspace, one level up from the individual sites (you could also do this with a "primary" domain if you don't use it for anything else), there's a shared htaccess file that is almost exclusively concerned with access control. It uses mod_setenvif and mod_authzthingy, as well as setting a few headers and so on, but absolutely no mod_rewrite for inheritance reasons. Then, on the site level, there are separate htaccess files with site-specific content. Most of this is in mod_rewrite. If I had use of the config file, the shared part would instead be in a <Directory> section, since it doesn't change much.

Um, OK. So if I put

AccessFileName .htaccess1 .htaccess2

It won't give me an error but it'll just ignore .htaccess2 and set the htaccess function to .htaccess1? That seems a little odd.
Now apache.org/docs says that "Syntax: AccessFileName filename [filename] ...". That sort of implies that this statement is going to do something with that second filename, no?

So you maintain two separate files, like I'm wanting to do, but just concatenate them into a third and post just that one?

Yes. But then again, I said I only do this for the "crazy got to mess with it all the time" kind of clients.

Me?

One file, in commented format such as "edits go here" and ends with "edits stop here" and do everything I can to keep a reasonable and well managed grouping of denies which make sense ... ie., not everything needs to be nuked, but if you do, nuke 'em all and move on.

It is different for everyone. What works for me may not work for another.

But I do believe that less is more in most cases and why complicate things?

config is one thing .... that's the stuff you rarely ever change
htaccess is playground stuff ... useful in some cases, but is not the be-all-end-all. There is a point of diminishing returns. One has to find that point for their operation.

That sort of implies that this statement is going to do something with that second filename, no?

What the docs [httpd.apache.org] actually say (no significant change between 2.2 and 2.4) is

AccessFileName filename [filename] ...

While processing a request, the server looks for the first existing configuration file from this list of names in every directory of the path to the document

Emphasis mine, punctuation theirs.

Don't forget the inherit feature. You can build your hierarchy like a Christmas tree.

Don't forget the inherit feature.

Although the OP does state, "kept in the same folder".

Is the "kept in the same folder" requirement set in stone?

(Although inheriting mod_rewrite directives can have additional complications.)

Thank you, Lucy. Yes, the official syntax for that statement is

AccessFileName filename [filename] ...

which appears to mean that you can put as many filenames as you want in the statement but I'm only going to pay any attention to the first one and not hand you an error message. That strikes me as pretty odd syntax. I mean if you're not going to pay any attention to the second filename, why even offer it in the syntax description? OK, it looks like I'm going to be doing

cat .htaccess1 .htaccess2 > .htaccess

I've taken over a few sites. What I see most is htaccess built piecemeal, bit by bit with no forsight. Granted, this takes time & experience.

Some of the most robust features of Apache modules are often overlooked. The order & cascade are prime examples.

Keyplyr, if order, and cascade are relevant to this discussion maybe you could be more specific about how they could be used. If there are strategies for htaccess built by piecemeal that differ from simple concatenation of separate files I'd like to hear about them.

Certainly inherit allows htaccess specified in the parent directory to apply to a child directory. I guess that would allow me to specify overriding htaccess rules that should apply to every site, and then do site-specific ones in the site folder itself. Interestingly, I believe the parent rules can be superseded in the child directory.

Not knowing how your account is currently set up, I wouldn't be able to be more specific. Just giving you some things to consider. Appears you are :)

if you're not going to pay any attention to the second filename, why even offer it in the syntax description?

That's why I cited DirectoryIndex as an analogy; it works exactly the same way:

DirectoryIndex index.html index.php index.htm index.jsp

means: "If there's a file called index.html, use it. If not, look for index.php. If there is one, use it. If not" et cetera. I don't know what real-life situations would call for something similar w/r/t htaccess-or-equivalent files. Maybe in shared hosting you'd use a different name in some situations?

inherit allows htaccess specified in the parent directory to apply to a child directory

For almost everything except mod_rewrite, inheritance is the default: use the top-level directives PLUS the next-level directives PLUS the ones after that, all the way down the line. But even with "RewriteOptions inherit", mod_rewrite doesn't work that way. Here, "inherit" means: "If no RewriteRules in the present htaccess apply to the request, then go back and apply anything from the previous level". So, unlike other mods, you can't have multiple RewriteRules applied to the same request. (It actually says so in the docs, but I didn't believe them, so I experimented.)

And that's why everyone is unanimous in telling you not to have mod_rewrite in more than one place along the same path. That applies equally to htaccess files and <Directory> sections.

cat .htaccess1 .htaccess2 > .htaccess

Where's this from?

Aha! I see now. Thank you. That list is the ORDER in which Apache looks for htaccess files. Stupid me. I think that seeing that list of files made me wonder if they were ALL considered stuff for htaccess. In principle you could put previous versions of htaccess lower in the order so you're assured that at least one will apply.

But yes, it looks like my strategy is going to have to be either building my one directory htaccess file using separate pieces OR dividing that file into htaccess files in the levels above it and assuming inheritance applies.

That's an excellent point about how inheritance applies to mod_rewrite. Only one can apply to the request. If you have multiple RewriteRules applied to one request do you get an error or does Apache just throw up its hands and ignore all of them?