I’m posting this incase it helps someone else. I was able to force basic authentication on Gii by using the following rules in my htaccess file (before the rewrite mod)
SetEnvIfNoCase Request_URI ^/gii gii_auth=1
AuthName "Gii"
AuthType Basic
AuthBasicProvider file
AuthUserFile "/path/to/.passwd"
Require valid-user
Order Allow,Deny
Allow from all
Deny from env=gii_auth
Satisfy Any
… and my Gii IP filter is set to:
'ipFilters'=>array(
$_SERVER['REMOTE_ADDR'],
),
… so now unless someone guesses both, my basic auth username and pass and my gii password I’m screwed, but otherwise I can work with little fear of someone messing with Gii if they find my online dev environment.
My URL Manger currently looks like this:
'urlManager'=>array(
'urlFormat'=>'path',
'showScriptName'=>false,
'caseSensitive'=>false,
'rules'=>array(
'<controller:\w+>/<id:\d+>'=>'<controller>/view',
'<controller:\w+>/<action:\w+>/<id:\d+>'=>'<controller>/<action>',
'<controller:\w+>/<action:\w+>'=>'<controller>/<action>',
),
),