Oh, thanks for clarifying. Two things that come to my mind are:
1) Try to do it on the application level. For example, try a following
hack - check $_SERVER['REMOTE_ADDR'] in LocalSettings.php and
conditionally set $wgGroupPermissions['*']['read'] to false (also
'edit', 'createaccount', 'createpage', 'createtalk',
'writeapi') => the
wiki will become read-only for non-local addresses... Or another kind of
hack - maybe it's even better because of missing userCanRead() calls in
different parts of MW: redirect all anonymous external users to
Special:Userlogin (again with PHP, using IP check in LocalSettings.php),
so the only page they will have access to will be the login page.
2) Try "Satisfy any" in Apache and still use REMOTE_USER, i.e.:
Allow from 192.168.0.0/24
Require valid-user
Satisfy any
This will probably lead to external users having to log in using HTTP
authentication and internal users having to use normal application-level
authentication. But I think this is uglier, at least because of HTTP
auth.