new_rewrite scheme works. However, I have one main issue: I am used to "fail safe" authorization schemes. This is based on the principle nobody is allowed access to anything, unless explicitly allowed. However, the rewrite protection scheme appears to rest on the concept of everybody is allowed access to all protected folders unless rewrite rules in a .htaccess file deny access. In other words, if I accidentally delete a .htaccess file, there goes the store! This is more than an academic concern. In early internet days I had a server that depended entirely on .htaccess. I needed FrontPage installed to support a couple of bots. The sysop tech mass deleted all my .htaccess files on the theory FrontPage handles protection! (Which I did not use) My site had free downloads for over 24 hours. Many took advantage. I have now run with Override None for many years, and all access control in httpd.conf. I do all installs myself. However, Murphy's law prevails. Whatever can go wrong will go wrong. If brakes fail, you want the auto to stop, not continue off the nearest cliff. Bottom line: I have no previous experience with mod_rewrite. I have root access, and total control of the server. What directive(s) can I write in a Directory block that denies access to a directory unless a .htaccess file is present in the directory? Could I use a RewriteCond -f to deny access to the directory if the .htaccess file is missing? Or, is it possible to put all the htaccess content in a Directory block in httpd.conf, with Deny from all unless the rewrite succeeds?
Never mind. I see that the rewrite directives work perfectly in a Directory block. A little tweak now in the script that creates the .htaccess and I can have it write a area.conf file instead.