.htaccess和web.config目录访问阻塞可靠吗？

I need to completely block the access of some directories of my PHP application.

This is how my application file system looks like:

www
├── core
│   ├── .htaccess
│   └── many .php files
│
├── logs
│   ├── .htaccess
│   └── many .log files
│
├── .htaccess
├── index.php
└── web.config

both www/core/.htaccess and www/logs/.htaccess look exactly the same:

deny from all

www/.htaccess is as described:

#   Friendly-url definitions
RewriteEngine On
RewriteCond %{REQUEST_URI} /+[^\.]+$ 
RewriteRule ^(.*[^/])$ %{REQUEST_URI}/ [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /index.php [L]

Also, my web.config for IIS servers:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering>
                <hiddenSegments>
                    <add segment="core"/>
                    <add segment="settings"/>
                    <add segment="logs"/>
                </hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Is this enough?

I used to put in all my PHP include files a "index.php existence" verification before any other code to make sure it wouldn't be directly accessed. If the file were directly accessed, it'd return 404. But I want to get rid of those annoying verification lines.

Now, with all those .htaccess files, when I try to directly access a file in one of those folders my request is completely "ignored" and www/index.php is executed - much better than a 404-error.

But, is this enough? Can I fearless rely on .htaccess and remove all those index-verification repetitiveness? What about web.config for IIS?

PS: As the application is being made to run in all server configurations possible, I cannot guarantee the possibility of putting those directories outside www. Also, it is required to work in both Apache and IIS servers.

It depends on whether "enough" is good enough for you. For the most part, the deny from all is good enough.

Depending on the server setup, or your scripts, a possible to exploit in one of those things that could cause the htaccess file from being overwritten. So in apache, you can setup the rules in your server/vhost config instead of htaccess files.

The best way is probably still moving the sensitive files out of your document root.