Kind of a hack at the moment but give this is a shot.

Edit your nginx site configuration to add / modify the following locations

location ^~ /api/v3/internal/allowed {
    proxy_read_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
    proxy_connect_timeout 300; # https://github.com/gitlabhq/gitlabhq/issues/694
    proxy_redirect     off;

    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_set_header   Host              $http_host;
    proxy_set_header   X-Real-IP         $remote_addr;

    proxy_pass http://gitlab;}

location / {
    auth_basic "Gitlab Restricted Access";
    auth_basic_user_file  /home/git/gitlab/htpasswd.users;
    # serve static files from defined root folder;.
    # @gitlab is a named location for the upstream fallback, see below
    try_files $uri $uri/index.html $uri.html @gitlab;
}

Leaving your @gitlab location block as is.

The trick is you let /api/v3/internal/allowd bypass the authentication. If you look at the logs when you do an git pull / push a request is made to the server whether or not to allow it. And on the standard nginx config with htpasswd that request would be blocked because the server has no idea about the authentication required.

Anyway not sure if there's a better alternative (couldn't find any) but this seems to work for me.

Add this to /etc/gitlab/gitlab.rb:

nginx['custom_gitlab_server_config'] = "auth_basic 'Restricted';\n  auth_basic_user_file htpasswd;\n"

And run gitlab-ctl reconfigure

Your issue is that you want set a password restriction for public access to GitLab, but let Gitlab-Shell access the local GitLab instance without restriction.

You can have 2 nginx configurations depending on the IP interface. Change the line listen 0.0.0.0:80 default_server to listen 127.0.0.1:80 default_server.

https://github.com/gitlabhq/gitlabhq/blob/v7.7.2/lib/support/nginx/gitlab#L37-38