# splice-domains.txt
#
# Domains Squid must NOT decrypt. With SSL-bump, "splice" = transparent
# passthrough: the client's TLS goes straight to the origin, so these are
# NOT cached and NOT inspected. Use for cert-pinned apps, banking, app-store /
# OS update channels, and anything that breaks under interception.
#
# One entry per line; a LEADING DOT matches all subdomains (.apple.com matches
# www.apple.com, gs.apple.com, ...). Full-line "#" comments only.
#
# IMPORTANT: do not also list a domain here AND in cache-domains.txt -- splice
# wins, so it would never cache. Tune this list for your environment.

# ── OS / app-store update channels (commonly cert-pinned) ──
.apple.com
.icloud.com
.mzstatic.com
.windowsupdate.com
.update.microsoft.com
.android.clients.google.com
.play.googleapis.com

# ── Banking / payments (examples -- add your own) ──
.paypal.com
.stripe.com

# ── Messaging / pinned services ──
.whatsapp.net
.signal.org
.telegram.org
