Not sure if possible. Trick is, that in order to get the url, You need to firstly allow whole TCP handshake and only then you may receive HTTP GET request. The URL is nowhere else before this request.
That means you have to let ALL connections on port 80 to be established, until the first HTTP request comes in. Only after that, you may decide if you let them continue (from LetsEncrypt) or block (anything else).
Your typical firewall setup isn't good for this. Quick look at the video shows that neither method will be suitable:
- Method 1 is extremely CPU intensive and plain wrong. They shouldn't even mention it.
- Method 2 works only for DNS (so you can match only hostname, not path)
- Method 3 works for encrypted traffic but again, only for hostname, not path.
There might be some complicated way of doing it with counting packets/bytes etc, but I am too lazy to think that much.
Easier approach would be a reverse proxy (e.g. HAProxy, NGINX etc), which will accept and forward only allowed paths. I personally use similar approach to split my SSTP/HTTPS traffic from a single port, as well as each HTTPS stream to separate application server. I run my proxies in docker on RaspberryPi and it works quite well.
edit:
Use an address-list for these domains:
Interesting! This goes directly against
Lets Encrypt FAQ. Are you sure this is full list of addresses which are sending HTTP validation requests? My understanding is, these addresses are only for clients to submit certificate requests and then validation may occur from any other IP
edit2: sorry, I shouldn't edit I gues...