Why developer traffic deserves its own routing lane
General web browsing and IDE or package-manager traffic look similar on paper—both are HTTPS—but they fail for different reasons and benefit from different policy choices. A tab that streams video tolerates occasional buffer stalls; an npm install with thousands of small requests does not. Cursor, built on the same extension ecosystem as VS Code, may contact update endpoints, marketplace mirrors, telemetry endpoints, and AI backends depending on your settings. pnpm defaults emphasize content-addressable storage and can hit different URL shapes than classic npm clients when resolving packages or talking to optional registries.
Putting all of that into one undifferentiated PROXY bucket is workable until you need contrast: a low-latency node for chatty API calls, a different region for registry downloads, or DIRECT for domestic sites that must not traverse an overseas exit. Split routing is the practice of naming those intents explicitly—usually with separate policy groups—and pointing rules at the right group in a predictable order. Clash does not know what “npm” is; it sees hostnames and IP flows. Your job is to translate product behavior into suffix rules, provider sets, or IP rules that match what your logs show.
This guide pairs naturally with our scenario article on ChatGPT and OpenAI API routing, which focuses on AI web and API hostnames. Here the emphasis is toolchain-shaped: registries, editor CDNs, Git hosts, and the operational footguns around TUN mode versus classic system proxy ports when local services enter the picture.
Hostnames and surfaces to plan for
Exact hostnames drift as vendors rearrange CDNs, so treat any static list as a starting point, not scripture. For JavaScript package work, registry.npmjs.org remains the default npm registry hostname for many workflows; corporate mirrors or Verdaccio instances introduce custom domains you must add yourself. pnpm may use the same registry URL as npm unless you override registry in .npmrc or environment variables—verify with pnpm config get registry on each machine. GitHub hosts countless tarballs and git operations; github.com, objects.githubusercontent.com, and related asset domains frequently appear in connection logs during installs and git clone.
Editor traffic is broader. VS Code–compatible clients often reach Microsoft-hosted endpoints for extension galleries and updates; Cursor adds its own first-party names for the product. Rather than chasing every subdomain by hand, start with suffix coverage for registrable bases you confirm in logs—DOMAIN-SUFFIX lines scale better than enumerating every asset host—then tighten with exact DOMAIN entries when one sibling must differ. If you rely on community rule sets via Rule Providers, read what each list actually contains; a generic “tracker block” list is a poor place to hide your registry exceptions.
Remember that not all slowness is “blocked overseas.” DNS mis-resolution, IPv6 oddities, flaky Wi-Fi, and disk-bound pnpm store operations can mimic proxy failure. Clash fixes path selection, not npm’s algorithmic dependency resolution or a spinning hard drive.
npm view or pnpm install with connection logging enabled, then align DOMAIN-SUFFIX coverage with the hostnames you actually see. Duplicate rules from blog posts without verification often miss the one CDN your region hits hardest.
Policy groups: naming developer lanes
Policy groups are the knobs your rules target. A pragmatic layout introduces a dedicated group for toolchain traffic—call it DEV, US, or REGISTRY—while keeping a separate group for general browsing or streaming. That separation does not magically improve throughput; it makes intent visible in the UI and lets you swap only the developer exit when something breaks, without touching unrelated tabs.
Common patterns mirror what we describe in the YAML policy groups guide: outer select for human choice, inner url-test for automatic picking among similar nodes, or fallback when resilience matters more than picking the absolute fastest hop. For long pnpm sessions, flapping automatic selections can be worse than a stable manual node—if streams reset mid-download, temporarily pin a single outbound in the DEV group to isolate the variable.
Nesting remains useful, but keep names honest. Six months later, you should read your YAML and know which group was meant for registry traffic versus which one was a catch-all for foreign sites. Undocumented cleverness rots quickly in teams.
proxy-groups: - name: "DEV" type: select proxies: - "SG-Auto" - "Direct" - name: "SG-Auto" type: url-test proxies: - "node-sg-1" - "node-sg-2" url: "https://www.gstatic.com/generate_204" interval: 300
The sketch is illustrative—your subscription’s node names and probe URL should follow operator guidance. The structural point is to give npm, pnpm, and editor flows a clear outbound you can reason about independently of your default foreign bucket.
Rules: placement, suffixes, and ordering discipline
Clash walks rules from top to bottom until one matches. Put narrower, intent-specific lines before broad catch-alls. Domestic DIRECT shortcuts and LAN exceptions often belong early; a final MATCH belongs at the end. Your developer lines should appear before any generic rule that would send registry or CDN traffic to the wrong policy group—for example, before a blunt GEOIP rule that might not align with how you want tarball downloads to exit.
A minimal skeleton might route confirmed registry and Git asset suffixes to DEV, while keeping unrelated traffic on your normal split. Exact policy names must match proxy-groups verbatim.
rules: - DOMAIN-SUFFIX,registry.npmjs.org,DEV - DOMAIN-SUFFIX,npmmirror.com,DEV - DOMAIN-SUFFIX,github.com,DEV - DOMAIN-SUFFIX,objects.githubusercontent.com,DEV - # Add editor or Cursor-specific suffixes you confirm in logs - # ... domestic DIRECT / GEOIP blocks ... - MATCH,PROXY
The mirror line is optional and only belongs if you actually use that mirror—community mirrors change over time. Prefer verifying hostnames over copying long domain lists from outdated gists. If you adopt Clash Meta (mihomo) rule-set syntax, precedence works the same way: position in the chain decides which policy wins.
Avoid keyword rules that are broader than you intend; they are easy to overfit and can pull unrelated traffic into DEV. When two rules could match, the earlier one wins—reordering is a legitimate fix, not a hack.
TUN mode versus system proxy: what actually gets captured
TUN virtual adapters transparently divert eligible IP traffic through the Clash stack. That is powerful for apps that ignore HTTP HTTPS_PROXY variables—some GUI tools fall in this bucket—but it is also where users accidentally sweep up flows meant to stay local. Classic system proxy mode exposes an HTTP and SOCKS port; well-behaved CLI tools can be pointed explicitly, while misconfigured terminals may bypass proxies entirely.
For npm and pnpm, explicit configuration often beats hope. Setting proxy and https-proxy in .npmrc, or exporting environment variables for a session, aligns the client with the port your Clash instance publishes—typically matching whatever you use for other CLI work. When you switch to TUN, many of those variables become less central because the OS routes packets differently; keep both mental models available and avoid mixing half-configured layers that fight each other.
DNS deserves a mention: if resolution happens outside Clash’s path, domain-based rules may see different inputs than you expect, especially when fake-IP or redir modes interact with how applications resolve names. Symptoms that look like “wrong proxy” are sometimes resolver interaction. Align DNS mode with what your profile assumes, and validate with a small test install before debugging large monorepos.
Loopback, localhost, and private LAN: do not break debugging
Local development lives on 127.0.0.1, localhost, and RFC1918 ranges—think 192.168.x.x, 10.x.x.x, and 172.16–31.x.x. Your Clash profile should keep those paths on DIRECT unless you have an extremely unusual lab setup. Accidentally hauling a request destined for a laptop-bound API server through an overseas outbound wastes time and breaks certificates and cookies in confusing ways.
Most templates place early IP-CIDR private-range rules or equivalent bypass entries ahead of broad proxies; verify your imported config did not drop them when merging snippets. For IPv6 loopback and link-local ranges, follow the same philosophy: if your stack uses IPv6 for local services, ensure your bypass list matches reality, not only IPv4 examples copied from older docs.
Container workflows add wrinkles: Docker Desktop, colima, or remote Kubernetes contexts may present names that resolve to virtual interfaces. When something “only breaks under TUN,” capture the destination IP and interface from logs before rewriting half your YAML. Often the fix is a precise DIRECT exception, not a new subscription.
localhost:3000, curl the origin with the client off. Isolating “app bug” from “routing loop” saves hours—especially when hot reload and websockets are involved.
Common stalls and what to verify
Symptom: extensions or IDE updates hang at 0%. Check whether asset hostnames are covered by your rules and whether a browser-only rule accidentally differs from the editor’s path. Compare connection logs for the failing session against a working fetch of the same URL through curl with explicit proxy settings.
Symptom: npm or pnpm timeouts mid-install. Confirm node health outside the registry path—your exit may drop long sessions. Try pinning a stable outbound in DEV, reduce parallel network concurrency temporarily, and watch for MTU or QUIC issues if your operator suggests specific tweaks.
Symptom: everything works in the browser but CLI tools fail. That split usually means environment variables or per-tool proxy settings are inconsistent. Align HTTPS_PROXY with Clash’s listening ports, or rely on TUN consistently—mixing often produces “mysterious” partial failures.
Symptom: local API calls suddenly traverse the tunnel. Revisit early DIRECT rules for loopback and LAN ranges; an over-broad MATCH or missing bypass is the usual culprit. This is not a Cursor-specific bug—it is routing precedence.
| What you see | Where to look first |
|---|---|
| Right hostname, wrong outbound | An earlier rule matched; reorder or narrow the broader matcher |
| IP-based path taken unexpectedly | DNS mode and fake-IP interactions; confirm domain visibility at match time |
| Works on Ethernet, flaky on Wi-Fi | Carrier or router IPv6 paths; compare resolver settings and disable experiments one at a time |
| Throughput fine, TLS handshake fails | System time, MITM proxies on the LAN, or outdated core—see Meta upgrade guide |
Core headroom and staying current
Modern registries and CDNs negotiate TLS features aggressively. Running a current Clash Meta (mihomo) core avoids handshake failures that masquerade as bad rules. The Meta upgrade guide walks through replacing the engine safely on desktop clients. Routing logic still lives in your YAML, but an outdated core should not be the reason you cannot complete a TLS session to a registry host.
Open source and where to read more
Clash Meta moves quickly; syntax and defaults evolve. For authoritative behavior, keep upstream documentation and release notes next to your profile. The mihomo repository is the right place for deep issues and advanced examples—separate from day-to-day installer downloads, which we keep on our site for clarity.
Closing thoughts
Splitting developer proxy traffic with Clash is less about chasing buzzwords and more about disciplined hostname coverage, clear policy groups, and rule order you can explain to teammates. Cursor, npm, and pnpm each stress the network differently, but the proxy layer still speaks in domains and IPs—give those flows a named lane, keep domestic and LAN shortcuts ahead of broad proxies, and validate TUN versus explicit proxy settings against how your terminals and GUI tools behave.
Compared with opaque one-size-fits-all toggles, explicit suffix rules and a dedicated DEV group age well: when a vendor adds a CDN host, you adjust a short block instead of guessing which mega-list swallowed your traffic. That maintainability mirrors why teams adopt Rule Providers for large sets—just keep developer-critical destinations reviewable so remote lists never silently override what you meant to allow.
DIRECT so local debugging stays boringly reliable.
For the full tour of match order and providers, continue with the YAML routing guide; for AI-specific hostnames, see the OpenAI split-routing article. Browse the full tech column for more.