If this is within your own network, why not restrict/allow access via IP address or IP range? This example blocks for all—and forces a user/password combo—but allows localhost
& the whole 10.x.x.x
& 192.x.x.x
ranges.
<Location /protected>
AuthName "My Protected Server"
AuthType Basic
require valid-user
AuthUserFile /etc/apache2/my_server_passwords
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
Or what about using LDAP as described in this article? Config from that article here, but adding the Allow from…
from above:
<Location /protected>
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com"
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
require valid-user
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>