Issue with some mobile websites

[Phones4Work]

It has come to my attention that on mobile devices, some websites are not being filtered when the mobile version is accessed. For example, if a user visits https://shein.com from a mobile browser is will redirect them to m.shein.com. This mobile version does not show up in the web filter logs and neither does it get filtered. If the user enabled "Desktop Site" on his mobile browser, it will log and be filtered as expected.

Does anyone know what is going on here and how do I fix it?

[ra-at-diladele-com]

If the mobile version of that site does not show in the logs - then most probably, it means the device was not connecting through the proxy and went directly from the mobile phone to the origin site. Usually this behavior is with QUICK protocol which utilizes UDP connections on ports 80/443 and works completely differently than normal HTTP.

The solution is to use your firewall only allowing outbound connections from your proxy to TCP ports 80 (HTTP), 443 (HTTPS) and blocking all other protocols, ports. In addition to that, all outgoing connections from other machines except your proxy should be blocked too.

This forces the devices to use proxy for outbound connections and thus all your HTTP(S) connections should go through the proxy and thus be filtered.

[Phones4Work]

Thanks for your reply. That works when they are inside a corporate network. Any idea on how make this work on a mobile device outside the corporate firewall? It is a mobile device managed via an MDM. We have Chrome policies enabled to force Chrome to use the proxy and also have private DNS set. Google apparently has not made a way in Chrome Management to prevent it from using QUIC since I see no setting for that. Interestingly the DNS server logs show attempts to access a whole host of shein.com domains which were blocked. A closer review of the proxy logs shows an attempt to access shein.com (which is forwarded) but then no more logs for the rest of the traffic.

If I am interpreting this correctly, Chrome makes the first attempt to connect to shein.com and then somehow "decides" to do all further communication through QUIC?

[Phones4Work]

I used a desktop computer, navigated to chrome://flags and disable the QUIC protocol completely, restarted chrome and accessed the following URL's:
https://m.shein.com/us/pdsearch/ebike/?Searchboxform=1&channel_id=1&ici=s1%60RecentSearch%60ebike%60_fb%60d0%60PageHome&search_source=1&source=historyWord&src_identifier=st%3D5%60sc%3Debike%60sr%3D0%60ps%3D1&src_module=search&src_tab_page_id=page_pre_search1756745660536&word_id=140319

and

https://m.shein.com/us/New-Balance-New-Balance-9060-Men-s-p-33631810.html?cdn_rsite=cf&ref=m&rep=dir&ret=mus

The log in the proxy showed this:

Date and Time Session Policy IP User Status Method Download Upload Domain URL Verdict Module Duration
2025-09-01 18:54:31.000 0 - removed - 200 TCP_TUNNEL CONNECT 106.1 KB 62.1 KB shein.com m.shein.com:443 forward none 9971 / 0
2025-09-01 18:54:24.000 23881 "removed" removed removed 200 TCP_MISS GET 357 bytes 1.4 KB shein.com https://count.shein.com/none.css?server=usa forward clean 251 / 0
2025-09-01 18:54:22.000 23841 "removed" removed removed 200 TCP_MISS GET 357 bytes 1.2 KB shein.com https://count.shein.com/none.css?server=usa forward clean 166 / 0
2025-09-01 18:54:21.000 23828 "removed" removed removed 200 NONE_NONE CONNECT 0 bytes 267 bytes shein.com count.shein.com:443 forward clean 328 / 1
2025-09-01 18:54:21.000 0 - removed - 200 TCP_TUNNEL CONNECT 2.6 KB 2.9 KB shein.com m.shein.com:443 forward none 8368 / 0
2025-09-01 18:54:21.000 0 - removed - 200 TCP_TUNNEL CONNECT 469.6 KB 109.2 KB shein.com m.shein.com:443 forward none 25208 / 0
2025-09-01 18:54:18.000 23787 "removed" removed removed 200 NONE_NONE CONNECT 0 bytes 281 bytes ltwebstatic.com sheinm.ltwebstatic.com:443 forward clean 104 / 1
2025-09-01 18:54:18.000 23776 "removed" removed removed 200 NONE_NONE CONNECT 0 bytes 281 bytes ltwebstatic.com sheinm.ltwebstatic.com:443

Does that help provide any insight in what might be happening?

[ra-at-diladele-com]

The logs seem normal for a non HTTPS decrypting proxy for access to that site. Have you configured anything which should block that site and it was not blocked? If not then the access log seems pretty normal...

[Phones4Work]

Search the site for adult related content, it pops up an age verification box and displays all the adult content. The age verification box alone should trigger a block, however it proceeds beyond that and displays all the adult content, no blocking whatsoever

Looking at the the 2 URLs examples above, you will see they are not in the log. These 2 URL's should not have been blocked, but should show in the logs I believe.

[ra-at-diladele-com]

I tried with HTTPS decrypting AD integrated (both web safety for linux and web filtering proxy for windows) using Firefox and Edge in an environment where no outgoing QUIC is possible (blocked on the firewall) - and the NSFW term cannot even be searched for - it gets blocked.

So if you do not see the QUIC connections to m.shein.com in the logs - it means proxy has no chance to filter it - it also means your browser somehow is able to go out to the internet bypassing the proxy.

One way to find it out is to dump all traffic on the machine where your browser runs as explained in https://www.diladele.com/webproxy/docs/faq/proxy/how_to_capture_trafic_on_windows_proxy_netsh/ - and then look for the traffic bypassing the proxy. Also it is a good idea to dump the keys to be able to see the HTTPS contents in the wireshark as explained in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HB8gCAG&lang=en_US%E2%80%A9

Finally you can enable dump of sessions in ICAP and manually look at all the contents the proxy had to inspect when going to m.shein.com - see UI / Web Filter / Settings / Network / Dump.

[Phones4Work]

Thanks for that info, I will try those troubleshooting steps to see what I find.

[Phones4Work]

I had a little more time to look into this today.

I blocked QUIC.
I set shein.com as blocked in Websafety
I disabled all DOH in Chrome
I tried it on a custom browser with no built in QUIC support.
And various other things.

Results are:
shein.com = blocked
us.shein.com = blocked
m.shein.com = full access and no filtering.

Based on the URL, it seems Cloudflare is somehow involved here. I don't know if that is contributing or not, but I am about at my wits end. Somehow, there seems to be a direct connection to m.shein.com.

[Phones4Work]

I would be glad to send you proxy credentials if you wish to test it on your machine.

[ra-at-diladele-com]

Well it seems now it is time to capture the traffic from the machine where your are running the browser - load it into wireshark and try to find the packets going to m.shein.com - if the other end of those is not your proxy - then you will know the client has gone directly.

[Phones4Work]

I will email you my Wireshark log. I don't see any access to m.shein.com that is not going through the proxy.