How to deny access to all but one IP, and allow access to specific URIs for all with Apache 2.4

I need to block access to site from public but allow one IP address in. And I need to give access to couple of URI-s for public. But nothing works - either all gets blocked or all is open.

Simplified extract from Apache conf:

<Directory /site/dir>
    Require ip 1.2.3.4
</Directory>

<Location "/open/for/public1">
    Require all granted
</Location>
<Location "/open/for/public2">
    Require all granted
</Location>

Now all gets blocked.

Also tried with old syntax:

<Location "/open/for/public1">
    Order allow,deny
    allow from all
</Location>

Still same.

I've tried blocking site with <Location "/"> directive (instead of <Directory> directive) but then public1 and public2 get also blocked.

I've tried with:

SetEnvIf Request_URI "^/open/for/public1$" NO_AUTH_NEEDED=1
<Directory /site/dir>
    Order Deny,Allow
    Deny from all
    Allow from env=NO_AUTH_NEEDED
    Allow from 1.2.3.4
</Directory>

Doesn't work, all gets blocked.

All suggestions welcome

What finally helped me were Apache Rewrite rules and LogLevel alert rewrite:trace6. In this case it appears that in addition to some .htaccess files (I didn't think had any effect) there were some internal redirects in the code. So I ended up using in the VirtualHost section something like:

RewriteCond %{REMOTE_ADDR} !1.2.3.4
RewriteCond %{REQUEST_URI} !^/open/for/public(.*) [NC]
RewriteRule .* - [F]

and in the .htaccess:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [END]

I added that [END] and seems that it is very important, as without it the Rewrite engine keeps going and for some reason, with some internal redirects (from Apache log: ...internal redirect with /index.php [INTERNAL REDIRECT]) the URL gets mangled and RewriteRule . - [F]* fires every time.