So this is what Let me do:

use of* would require user to go in a username/password, except once they visit a certain URIs (e.g. ,, etc.) they should not need to authenticate. (the main) ought to be open, too.

I understand I have got to setup some kind of special .htaccess directives, but I'm not sure exactly how to pull off doing the work. Does anybody understand how I possibly could make this happen?

Any help could be much appreciated. Thanks!

For that subdirectory, simply switch off fundamental authentication. It appears there's no direct method of doing so (e.g. via a "require none" directive), however, you know that you simply accept host-based access control, which any host can access. The next works best for me:

    <Location /foo>
            AuthType Basic
            AuthName Foo
            AuthUserFile /tmp/passwd
            require valid-user
    <Location /foo/bar>
            Allow from all
            Satisfy any
RewriteRule ^(contact|blog|)(|/.*)$ - [NC,L]
RewriteRule ^example_entry_point_with_authentication.php$ - [L]
RewriteRule .* /example_entry_point_with_authentication.php [L,QSA]

For things beginning with contact, blog or free (situation insensitive), no rewrite

For authentication page, also don't rewrite (otherwise infinite loop -> server error)

For anything else, make use of the authentication page. Continue w/ business logic after that, based on auth result.