Protect apache2 server-status handler by password

Solution 1:

To allow other hosts, you can just update line:

Allow from localhost ip6-localhost

to read:

Allow from localhost ip6-localhost 1.2.3.4 1.2.3

For the authentication part, you add a block like:

AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen 

The passwords file need to be created using htpasswd utility. Have a look at this page for more details.

Solution 2:

In the <Location /server-status> stanza, include both the Allow from localhost and authentication directives. The key is to use Satisfy Any to specify that requests from localhost can bypass authentication.

Edit: Explicit example, as requested (it just combines everything that everyone has said so far):

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Satisfy Any

    Allow from localhost ip6-localhost

    AuthType basic
    AuthName "Apache status"
    AuthUserFile /etc/apache2/passwd-server-status
    Require valid-user
</Location>