I’m posting this incase it helps someone else. I was able to force basic authentication on Gii by using the following rules in my htaccess file (before the rewrite mod)
SetEnvIfNoCase Request_URI ^/gii gii_auth=1 AuthName "Gii" AuthType Basic AuthBasicProvider file AuthUserFile "/path/to/.passwd" Require valid-user Order Allow,Deny Allow from all Deny from env=gii_auth Satisfy Any
… and my Gii IP filter is set to:
'ipFilters'=>array( $_SERVER['REMOTE_ADDR'], ),
… so now unless someone guesses both, my basic auth username and pass and my gii password I’m screwed, but otherwise I can work with little fear of someone messing with Gii if they find my online dev environment.
My URL Manger currently looks like this:
'urlManager'=>array( 'urlFormat'=>'path', 'showScriptName'=>false, 'caseSensitive'=>false, 'rules'=>array( '<controller:\w+>/<id:\d+>'=>'<controller>/view', '<controller:\w+>/<action:\w+>/<id:\d+>'=>'<controller>/<action>', '<controller:\w+>/<action:\w+>'=>'<controller>/<action>', ), ),