I can answer myself because I finally found a link to another post.
The following will restrict certain source addresses from accessing certain URL via the ACE, I have tried this in one armed-mode, but should work even with routed-mode.
### Also important to notice is that doing Layer-7 loadbalancing with ssl the ACE will need to terminate the tunnel otherwise all traffic passed the ACE encrypted###
class-map type http loadbalance match-all ten
2 match source-address 10.0.0.0 255.0.0.0
4 match http url .*
class-map type http loadbalance match-all seventeen
2 match source-address 17.16.0.0 255.255.0.0
4 match http url .*
class-map type http loadbalance match-any restrict
2 match http url /public.*
4 match http url /downloads.*
then use in load balance policy as follows:
policy-map type loadbalance first-match WEBSERVER_L7 class ten sticky-serverfarm WEBSERVER_StickyGroup class seventeen sticky-serverfarm WEBSERVER_StickyGroup class restrict sticky-serverfarm WEBSERVER_StickyGroup
if you want to send outside users with other urls to a sorry page you would have a server in a serverfarm taht would do that and use it in a class class-default on the bottom of the load balance policy. The matches on load balance policy are top down so order is important.