Custom errors in shared apache setup, for pages outside of gitlab


running gitlab CE 8.12.3 omnibus installer on RHEL 6 inside a apache 2.2

We’re running gitlab under a relative root ( and have other applications running there as well.
We need to be able to set custom 404 pages for the apache as a whole, not just for gitlab.

I run into trouble because of the following config I believe:

    #Forward all requests to gitlab-workhorse except existing files like error documents
    RewriteCond %{REQUEST_URI} ^/uploads/.*
    RewriteCond %{REQUEST_URI} !^/app1/.*$ [NC]

    RewriteRule .*{REQUEST_URI} [P,QSA]

This will forward anything that is not a file, so anything that would be caught as a 404 is forwarded to gitlab-workhorse.
But if I try to access a non existing page outside of /gitlab . I get a standard empty page, just repeating the URI I cannot access. This is considered a XSS vulnerability here, hence the requirement to use a custom 404 page.

For other applications, the custom 404 page works, that is, /app1/nonexisting returns the page, because of the last RewriteCond line above.

Further down the config it says
ErrorDocument 404 /404.html

But this will only be reached if gitlab-workhorse is down right?

How can i get /nonexisting to also return my /404.html page?

Kind regards,