htaccess protect all subfolders & files

Question

I have this situation:

/storage
  index.php
  other scripts.php
  /files  
    -files and folders-

I want to deny all the HTTP requests to all files and subfolders of /files but in the same time allowing to access /storage and run those PHP scripts. I tried some rules but they either protect only the listing of files or don't allow access to all the /storage folder.

The .htaccess must be outside /files (because this folder is accessed by PHP readfile and .htaccess could be accessible).

Answer 1

In your root .htaccess file i.e. under /storage directory put this line:

RewriteRule ^files/ - [R=404,L,NC]

This will throw 404 to all the HTTP requests for anything under files/ sub directory while your .php files will be able to include files under files/ sub directory.

Answer 2

I think something like this, in the parent directory (you may want to use the full path)

<Directory ./Files>
  ORDER DENY, ALLOW
  DENY FROM ALL
</DIRECTORY>

In general I'd recomend that you simply put your /files directory somewhere outside the document root for safety. That way if .htaccess accidentally gets turned off or broken you don't end up exposing the files.

Edit:

My apologies, The <Directory> directive is only valid in the server config (you'd need to put it in the httpd.conf file or equivalent), not in .htaccess. If you're sure of the types of files you're going to be putting in the directory you can use the <Files> directive with the various file types: http://httpd.apache.org/docs/current/mod/core.html#files this would however need to be put in the Files directory. (then possibly just exclude it from the PHP script, though many ignore hidden files already).