Let’s say you have a multisite installation with several (sub)domains pointing to the same document root. Now, you want to protect private.domain.com with ht-authentication while www.domain.com stays publicly available.
Please welcome Apache’s setEnvIf as your friend:
AuthName "Private"
AuthType Basic
AuthUserFile /var/www/.htpasswd
require valid-user
SetEnvIf Host private.domain.com secure_content
Order Allow,Deny
Allow from all
Deny from env=secure_content
Satisfy Any
Source: http://stackoverflow.com/a/6953716/93261