setfacl -m g:apache:r apache_readable.txt

This adds group permissions to the file even though you are not a member of said group, which is apache in this case. You can't do this with the normal chgrp command.

The only other way to allow apache to read .htpasswd and not allow all the other users to see it is to add httpd to every single user group on the system, which is not practical, or to use deny permissions like this: chgrp <group_that_denied_users_are_in> .htpasswd && chmod 604 .htpasswd.