[BUG] Error Page when using Authelia

[ocean75]

What happened?

This is a follow-up on issue #1472, which has been reported as completed.

Unable to get the BW Error plugin to work correctly when the destination site is redirected to Authelia and the source IP is blacklisted.

How to reproduce?

For instance, I want only certain external IP addresses to have access to the BW website. These IP addresses are whitelisted in BW and must authenticate through Authelia before reaching the BW login page. All other external IP addresses should receive a 403 error, as they are not whitelisted. While this setup works, instead of being presented with the BW Error 403 page, blacklisted external IP addresses (0.0.0.0/0) are shown the NGINX 403 page. If I remove Authelia from the equation, the correct BW Error page is displayed.

I have added the updated Authelia snippet found on GitHub, but I am still unable to display the correct error page. https://github.com/bunkerity/bunkerweb/blob/master/examples/authelia/docker-compose.yml

Configuration file(s) (yaml or .env)

# Proxy to Authelia
REVERSE_PROXY_URL_999: "/authelia"
REVERSE_PROXY_HOST_999: "http://authelia:9091/api/verify"
REVERSE_PROXY_HEADERS_999: "X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length \"\""
# Authelia
authelia.example.com_REVERSE_PROXY_URL: "/"
authelia.example.com_REVERSE_PROXY_HOST: "http://authelia:9091"
authelia.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
authelia.example.com_CUSTOM_CONF_MODSEC_remove-false-positives: |
  SecRule REQUEST_FILENAME "/" "id:1000000,ctl:ruleRemoveByTag=attack-lfi,nolog"
# BunkerWeb
bunkerweb.example.com_REVERSE_PROXY_URL: "/"
bunkerweb.example.com_REVERSE_PROXY_HOST: "http://bw-ui:7000"
bunkerweb.example.com_REVERSE_PROXY_AUTH_REQUEST: "/authelia"
bunkerweb.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://authelia.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri"
bunkerweb.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email"
bunkerweb.example.com_REVERSE_PROXY_HEADERS: "Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email"

Relevant log output

2025/02/25 09:08:28 [warn] 345#345: *32 [ACCESS] denied access from blacklist : IP is in cached blacklist (info : ip), client: XXX.XXX.XXX.XXX, server: bunkerweb.example.com, request: "GET /favicon.ico HTTP/1.1", host: "bunkerweb.example.com", referrer: "https://bunkerweb.example.com/"

bunkerweb.example.com XXX.XXX.XXX.XXX - - [25/Feb/2025:09:08:28 -0500] "GET /favicon.ico HTTP/1.1" 403 548 "https://bunkerweb.example.com/" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Mobile Safari/537.36"

BunkerWeb version

1.6.0

What integration are you using?

Docker

Linux distribution (if applicable)

No response

Removed private data

• I have removed all private data from the configuration file and the logs

Code of Conduct

• I agree to follow this project's Code of Conduct