1 Why GitHub Copilot deserves a dedicated Clash rule block
In 2026, “AI coding assistant” traffic is still fragmented by product and legal boundary, not by a magical keyword. GitHub Copilot reuses GitHub identity, billing, and policy, yet the inference plane is not identical to browsing a repository in Chrome. You might authenticate successfully in the browser while the VS Code extension spins forever, simply because collector.github.com or a githubcopilot.com API host stayed on DIRECT while your subscription expects a stable overseas exit. Clash on the Mihomo core makes that failure mode visible: the connection log shows the exact SNI, and your YAML explains which line matched first.
A dedicated policy group—call it PROXY_GH_COPILOT—lets you bind DOMAIN-SUFFIX rows and optional RULE-SET providers without entangling unrelated SaaS. That matters for teams who must audit egress: you can diff a small Git-tracked ruleset instead of guessing which upstream geosite blob swallowed Copilot last quarter. If you are onboarding a new laptop, start from our download page for a maintained client build; treat upstream GitHub repositories as the transparency layer for source and issues, not as the primary installer path for everyday users.
The rest of this article assumes you already run Clash with working nodes and sane DNS. We focus on host coverage, ordering, and verification patterns that survive editor updates—because Microsoft and GitHub ship Copilot changes frequently, and your rules should age gracefully when new subdomains appear under the same registrable suffix.
2 Three planes: GitHub web login, IDE traffic, and model API requests
Plane one—authentication and account chrome. Signing in, organization SSO, and many management APIs still center on github.com and api.github.com. Copilot entitlement checks can touch paths under api.github.com such as the documented copilot_internal family for user state. If only githubcopilot.com is proxied, you may fix chat streaming yet break license refresh loops that never leave GitHub’s core API. Treat DOMAIN-SUFFIX,github.com as the backbone for identity, not as “optional extras.”
Plane two—editor extensions and auxiliary services. Official documentation and enterprise allowlists call out hosts like copilot-proxy.githubusercontent.com and origin-tracker.githubusercontent.com as part of the suggestion pipeline, alongside broad *.githubusercontent.com coverage for assets and auxiliary calls. Telemetry endpoints such as copilot-telemetry.githubusercontent.com, collector.github.com, and third-party measurement domains may also appear in hardened corporate allowlists. You can route telemetry separately if policy demands it; for home labs, grouping the entire githubusercontent.com suffix with Copilot often reduces whack-a-mole when a new asset hostname appears overnight.
Plane three—model inference and subscription routing. Copilot’s public documentation describes wildcard coverage under *.githubcopilot.com and nested patterns for individual, business, and enterprise API planes. GitHub’s own changelog for 2026 also notes subscription-based routing for the Copilot coding agent on self-hosted runners, steering Pro traffic toward api.individual.githubcopilot.com while Business and Enterprise use their respective api.*.githubcopilot.com hosts instead of legacy consolidated names. Your YAML should therefore anticipate multiple sibling suffixes under githubcopilot.com, not a single static FQDN you copied from an old forum post.
DOMAIN-KEYWORD,copilot shortcuts that false-positive on unrelated sites.
3 Domains GitHub publishes for firewall and proxy teams
GitHub maintains a public Copilot allowlist reference aimed at enterprises that terminate TLS on middleboxes. It is the most authoritative starting point when you translate corporate firewall rows into Clash DOMAIN-SUFFIX lines. Expect the table to enumerate authentication URLs on github.com, REST checks on api.github.com, telemetry hosts, GitHub-owned CDNs, and wildcard patterns for githubcopilot.com plus plan-specific subdomains. When GitHub adds a row, mirror the registrable suffix in Clash rather than hard-coding every leaf host—your policy stays shorter and automatically covers new regional edges GitHub turns up without a blog post.
Practically, a robust baseline for personal developers stacks three suffix rules toward the same policy group: DOMAIN-SUFFIX,github.com, DOMAIN-SUFFIX,githubusercontent.com, and DOMAIN-SUFFIX,githubcopilot.com. That combination catches api.github.com, common proxy and telemetry hosts on githubusercontent.com, and the evolving api.*.githubcopilot.com graph referenced in official materials. If your employer mandates explicit telemetry allowlisting, split collector.github.com or measurement domains into a different group only after you confirm the IDE still functions when those hosts use a separate exit.
Optional extras appear in the same reference for specialized scenarios—Azure Front Door hosts tied to usage report downloads, certificate revocation endpoints, and GitHub Enterprise Cloud domains under *.SUBDOMAIN.ghe.com when your org runs there. None of that negates the core suffix trio; it layers on top when your audit trail proves the traffic exists in your environment.
4 Plan-specific model endpoints and the 2026 agent routing change
Copilot’s commercial packaging maps to different API entry points. Individual Pro and Pro+ sessions should reach api.individual.githubcopilot.com; Business and Enterprise tenants dial their respective api.business.githubcopilot.com and api.enterprise.githubcopilot.com hosts. GitHub’s February 2026 networking note for the Copilot coding agent explains why self-hosted runners can no longer assume a single legacy consolidated hostname: subscription-aware routing reduces cross-plan coupling and lets GitHub enforce policy closer to the edge. Even if you never use the agent feature, the same suffix family often backs interactive chat and premium model routing in editors, so blocking “only the old name” is a recipe for surprise outages after a silent migration.
When you operate a shared proxy profile for a team with mixed plans, keep one policy group that covers the entire githubcopilot.com suffix unless compliance forces you to split traffic by plan. Splitting is rarely worth the operational load unless Security explicitly requires different egress providers per subscription tier. Document whichever choice you make in YAML comments so the next on-call engineer understands why Business traffic shares an exit with Pro.
5 Rule order: why the first match beats clever grouping
Clash evaluates rules: top to bottom; the first hit wins. Subscription bundles that inject aggressive GEOIP or catch-all MATCH lines near the top are a frequent reason Copilot partially works. Move explicit GitHub and Copilot rows above broad regional shortcuts. When you combine inline suffix lines with RULE-SET providers, remember duplicate hostnames obey whichever rule appears earlier—use that to let a tiny local override file win during an incident without forking the entire remote list.
Avoid long-lived DOMAIN-KEYWORD,copilot entries except as a temporary packet capture aid. Keywords overlap marketing sites, internal codenames, and unrelated SaaS in ways suffix rules do not. Production profiles should prefer registrable suffix coverage plus log-driven DOMAIN,exact.host.example lines when a CDN uses a one-off name that does not share a safe suffix with GitHub.
6 Illustrative YAML: groups, providers, and rules
The fragment below is educational. Rename PROXY_GH_COPILOT to match your profile, merge with subscription naming conventions, and run your GUI’s config linter before pushing to a router. Remote rule providers are optional; if you do not trust a URL yet, rely on the three suffix lines until you curate a private list.
# Example only — merge with your full profile
proxy-groups:
- name: PROXY_GH_COPILOT
type: select
proxies:
- AUTO-BEST
- DIRECT
rule-providers:
github-copilot:
type: http
behavior: classical
url: "https://example.com/rules/github-copilot.txt"
path: ./ruleset/github-copilot.yaml
interval: 86400
rules:
- RULE-SET,github-copilot,PROXY_GH_COPILOT
- DOMAIN-SUFFIX,github.com,PROXY_GH_COPILOT
- DOMAIN-SUFFIX,githubusercontent.com,PROXY_GH_COPILOT
- DOMAIN-SUFFIX,githubcopilot.com,PROXY_GH_COPILOTPair these rules with coherent DNS. Misaligned DoH, FakeIP, and OS stub resolvers still produce “rule matched but TLS fails” ghosts. Our DNS leak prevention guide walks through resolver alignment patterns that apply to any SaaS client, including IDE extensions that open many short-lived connections.
7 VS Code, JetBrains, CLI tools, and TUN versus system proxy
Editors download extensions from vendor marketplaces, but Copilot’s runtime still terminates HTTPS on GitHub-controlled hosts. System proxy mode helps when the IDE respects OS settings, yet language servers, helper daemons, and packaged runtimes sometimes open sockets that ignore HTTP_PROXY. For mixed workflows—browser SSO plus local tooling—TUN mode on Mihomo frequently yields the most consistent story because packets enter Clash before user-space libraries apply their own policy. Our Clash Verge Rev TUN guide covers loop avoidance and verification steps that generalize beyond Copilot.
If you stay on system proxy only, export HTTPS_PROXY for terminals running the Copilot CLI or automation, align SOCKS when required, and audit NO_PROXY so corporate registries and localhost are not accidentally hairpinned. Document the working combination for CI runners: nothing frustrates teams faster than “works on my laptop” when GitHub Actions omits proxy variables the extension relied on during local testing.
8 How this article complements Cursor and ChatGPT guides
Our Cursor-focused article concentrates on editor update channels, extension marketplaces, and AI features that may hit non-GitHub CDNs. Copilot, by contrast, anchors on GitHub’s identity and API fabric even when the UX lives inside VS Code. Likewise, the ChatGPT / OpenAI guide maps chatgpt.com and openai.com—orthogonal suffixes that will not rescue a Copilot outage. Treat each vendor article as a modular chapter: copy the block you need, keep shared infrastructure (DNS, TUN, logging discipline) identical across them.
9 Enterprise notes: GitHub Enterprise Cloud and compliance boundaries
Organizations on GitHub Enterprise Cloud may see additional hostnames under documented *.SUBDOMAIN.ghe.com patterns. If your security team publishes split tunnel lists, mirror those suffixes in Clash rather than assuming github.com alone suffices. Separately, reliable routing does not imply license entitlement: HTTP 401, 403, or quota responses after connectivity is restored are account or policy issues, not YAML typos. Rotate tokens that leaked into logs and use secret managers for shared automation accounts.
This article addresses client-side reachability for developers; it is not legal advice about regulated jurisdictions or acceptable-use policy. Use Copilot in accordance with GitHub’s terms and your employer’s AI governance framework.
10 DNS, logs, and troubleshooting without guesswork
Start every incident by filtering Mihomo logs for github and githubcopilot substrings, then sort by policy group. If you see unexpected DIRECT hits, scroll upward in rules: for a broader line that matched earlier. Streaming completions are sensitive to lossy routes: small JSON calls may succeed while long HTTP/2 streams stall, so swap exits only after you prove DNS and rule placement are clean.
IPv6 split paths remain a common footgun. When the OS prefers IPv6 first but your proxy path assumes IPv4-only hops, some sessions bypass Clash intermittently. Either route IPv6 consistently through Mihomo or temporarily isolate the issue by disabling IPv6 during triage, then return with a structural fix instead of leaving the toggle off forever.
11 FAQ
- Browser login works, but VS Code Copilot never connects: Confirm
githubusercontent.comandgithubcopilot.comshare the same policy group asgithub.com, enable TUN or fix proxy env vars for the IDE process, and re-check rule order above catch-alls. - Do I still need
api.githubcopilot.com? GitHub’s 2026 agent networking note says many self-hosted scenarios should migrate to plan-specificapi.*.githubcopilot.comhosts; keep the parentgithubcopilot.comsuffix to cover current and future names without chasing each announcement. - Can I proxy only model calls? Possible, but narrow rules demand extra verification that sign-in, telemetry, and asset downloads are not required by your editor build—logs should guide the cut, not assumptions.
- Does this replace OpenAI rules? No. Copilot may use OpenAI or other model providers under the hood, yet your client still speaks to GitHub-fronted endpoints; separate vendor guides remain relevant for direct API integrations.
12 Wrap-up
Stable GitHub Copilot access in 2026 is an exercise in mapping GitHub’s own network documentation to Clash primitives: keep github.com and api.github.com inside your Copilot policy for authentication and entitlement checks, cover githubusercontent.com for proxy and telemetry hosts the allowlist names explicitly, and treat githubcopilot.com—including plan-specific api.individual, api.business, and api.enterprise entry points—as the inference plane that must track GitHub’s subscription routing changes. With DOMAIN-SUFFIX rows ordered ahead of blunt GEOIP catch-alls, optional curated rule providers, and DNS aligned to Mihomo, you get repeatable logs that explain every connection an IDE makes.
Among comparable tools, Clash’s readable rules and mature desktop clients fit developers who split personal browsing, IDE extensions, and automation on one machine. When you need installers, prefer our download hub for versioned packages; reference GitHub upstreams for licenses and issues, not as the default path for casual installs.
Once routing stops stealing cycles, you can focus on code review, tests, and shipping features—which is exactly what a good developer network stack should enable for Copilot users in 2026.
