Is this what you are looking for?
when HTTP_REQUEST {
log local0. "client IP is [IP::client_addr]"
if { not [matchclass [IP::client_addr] eq address_datagroup] } {
log local0. "[IP::client_addr] is accepted but not in the address_datagroup"
switch [string tolower [HTTP::host] {
"xxx1.xxx.com" {
if { [matchclass [string tolower [HTTP::uri]] starts_with xxx1_xxx_com_uri_datagroup] } {
log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup"
HTTP::redirect "http://xxx.xxx.com/"
}
}
"xxx2.xxx.com" {
if { [matchclass [string tolower [HTTP::uri]] starts_with xxx2_xxx_com_uri_datagroup] } {
log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup"
HTTP::redirect "http://xxx.xxx.com/"
}
}
"xxx3.xxx.com" {
if { [matchclass [string tolower [HTTP::uri]] starts_with xxx3_xxx_com_uri_datagroup] } {
log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup"
HTTP::redirect "http://xxx.xxx.com/"
}
}
"xxx4.xxx.com" {
if { [matchclass [string tolower [HTTP::uri]] starts_with xxx2_xxx_com_uri_datagroup] } {
log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup"
HTTP::redirect "http://xxx.xxx.com/"
}
}
}
} else {
log local0. "[IP::client_addr] is accepted and is in the address_datagroup"
}
}
This should accept all comers to the site, but if they're not in the address_datagroup, for each host if they match the URI in each host's datagroup, it'll redirect them somewhere. Otherwise, it'll allow them through unimpeded.