I played with this. You can enable clear-text access to Apache by editing the httpd.conf and adding a line for the listener:
Listen: Allows you to bind Apache to specific IP addresses and/or
ports, in addition to the default. See also the
directive.
Change this to Listen on specific IP addresses as shown below to
prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
Listen 12.34.56.78:80
If you put one of your IP addresses there, with port 80, or 8080, or whatever, you will enable clear-text access via that IP and port (and through no other IP:port). The SSL access config is in
/config/httpd/conf.d/ssl.conf
You can modify the "Listen" line from
Listen 443
to
Listen 1.1.1.1:443
If 1.1.1.1 is your management IP, this will restrict access to the web GUI and iControl to the management interface only.
If you wanted to leave the management GUI up, but block iControl, you could edit the httpd.conf as follows. Find this entry:
Satisfy any means that a connection may satisfy either the address access
restriction or the authentication restriction in order to be authorized to
access this directory.
Satisfy any
Access is restricted to traffic from 127.*.*.*
Order deny,allow
Deny from all
Allow from 127
This is an exact copy of the authentication settings of the document root.
If a connection is attempted from anywhere but 127.*.*.*, then it will hav
e
to be authenticated.
AuthType Basic
AuthName "BIG-IP"
AuthPAM_Enabled on
AuthPAM_CacheTimeout 86400
require valid-user
You can change "satisfy any" to "satisfy all", which would require the client to both provide a valid password and be on the local host. If you wanted to still allow localhost clients to make requests without authentication, you could fiddle around with the settings in this section according to the Apache manual.
There's at least half a dozen ways to do what you want to do. I don't see why the official line is that this feature is not available!