, try putting logging to see if you are capturing the right URI's.
You can follow Samir's IRule and since you wanted 403, replace drop with respond 403.
when HTTP_REQUEST {
if { !(([string tolower [HTTP::uri]] starts_with "/abc") or ([string tolower [HTTP::uri]] starts_with "/pqr")) } {
HTTP::respond 403 content "<html><body>Access Denied</body></html>"
} else {
log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is allowed"
}
}
If you want to test before implementing, to make sure you are putting right actions, put logging first. Something like below,
when HTTP_REQUEST {
if { !(([string tolower [HTTP::uri]] starts_with "/abc") or ([string tolower [HTTP::uri]] starts_with "/pqr")) } {
log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is to be blocked with a 403"
} else {
log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is allowed"
}
}