Tell HN: docker pull fails in spain due to football cloudflare block

I just spent 1h+ debugging why my locally-hosted gitlab runner would fail to create pipelines. The gitlab job output would just display weird TLS errors when trying to pull a docker images. After debugging gitlab and the runner, I realized after a while I could not even run "docker pull <image>" on my machine as root:

> error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com

First blaming tailscale, dns configuration and all other stuff. Until I just copied that above URL into my browser on my laptop, and received a website banner:

> El acceso a la presente dirección IP ha sido bloqueado en cumplimiento de lo dispuesto en la Sentencia de 18 de diciembre de 2024, dictada por el Juzgado de lo Mercantil nº 6 de Barcelona en el marco del procedimiento ordinario (Materia mercantil art. 249.1.4)-1005/2024-H instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital, S.L.U. https://www.laliga.com/noticias/nota-informativa-en-relacion-con-el-bloqueo-de-ips-durante-las-ultimas-jornadas-de-laliga-ea-sports-vinculadas-a-las-practicas-ilegales-de-cloudflare

For those non-spanish speakers: It means there is football match on, and during that time that specific host is blocked. This is just plain madness. I guess that means my gitlab pipelines will not run when football is on. Thank you, Spain.

199 points | by littlecranky67 3 hours ago

17 comments

  • danirod 1 hour ago
    Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found".

    Every response and comment from LaLiga, the football organization responsible for this, has been so far that this is a minor issue that only affects a few bunch of nerds who talk about "docker images" or "github repositories" or "whatever that means".

    Meanwhile, there are testimonies of smart home devices like anti-theft alarms or automatic doors, that stop working whenever there is a football match, because their backends rely on Cloudflare.

    Last week, a woman asked for help on social media, as the GPS tracking app she uses to see where her father with dementia is, went offline during a match. It was getting late and he still wasn't back home, and she couldn't locate the tag he was wearing to find him: https://www.infobae.com/america/agencias/2026/04/05/laliga-d...

    It's hard to say this, because no one should experience an event like this, but as stressful as these are, it's the only way to make the mainstream people care about this censorship. "I cannot pull a docker image" will never be on nightly news, but safety and personal security is a more powerful driver for discourses.

    [-]
    • pxc 34 minutes ago
      > Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found".

      This is generally how the GFW works in China. Instead of an overbearing nanny like a school or corporation's DNS blocker, you're left with a sense that you're on a version of the Internet that is just intermittently and somewhat mysteriously broken.

      And indeed, in China, a lot of things that probably aren't fully intended to be blocked are not reliably accessible. Implementation varies, so you get strange routing and peering issues. It feels like an Internet that isn't fully formed, that hasn't finished coming together yet.

      Nation states and corporations obviously gain some things sometimes by having Internet censorship/blocking frameworks in place. Maybe, sometimes, ordinary people even benefit, too, if it helps shut down illegal and genuinely harmful businesses.

      But it feels like the whole world is gradually trending towards more and more Internet censorship without realizing that we are un-building a miraculous thing that took enormous effort and cleverness and expense to build. I wish we could think about this not only in terms of freedom (and we absolutely should think about it in terms of freedom), but how we are disintegrating the infrastructure of communication and computing.

    • freetanga 1 hour ago
      All people affected should file a complaint with your ISP and with Oficina de Atención al Usuario de Telecomunicaciones claiming financial loss for arbitrary service censorship.
      [-]
      • bakugo 46 minutes ago
        Sadly, it won't accomplish anything. La Liga seems to have enough political power in the country to bury all of that. Probably bribing everyone involved.
      • pixl97 48 minutes ago
        Yep, flood them with complaints.
    • the_gipsy 30 minutes ago
      It's ridiculous and wrong what LaLiga does. But it's also a weakeup call to consider ditching cloudflare's centralization.
      [-]
      • estebank 20 minutes ago
        The companies relying on cloudflare won't be in Spain. If you buy a GPS tracker by a Canadian company, developed in India, manufactured in China, they are unlikely to know, even it they cared, that a single country that accounts for a tiny percentage of their sales breaks fundamental internet infrastructure on the regular "because fútbol y dinero".

        And when purchasing a product, there's no "bill of materials" telling you about the services it relies on, beyond "internet connection" at best.

  • mrvaibh 1 hour ago
    This is a great example of why blanket IP blocking is such a terrible enforcement mechanism. Cloudflare hosts hundreds of thousands of services behind shared IP ranges — blocking one IP to stop a piracy stream takes out everything else on that IP, including Docker registries, API endpoints, and CDNs that have nothing to do with football.

      The real fix on your end until Spain sorts this out: set up a pull-through registry cache (e.g. registry:2 with proxy.remoteurl) on a VPS outside Spain, and point your Docker daemon's mirror config at it. Your
  GitLab runner pulls from the cache, the cache pulls from Docker Hub via a non-blocked IP. Also insulates you from Docker Hub rate limits.

  But yeah, the fact that a court order about football streaming can break docker pull for an entire country is genuinely absurd.
    [-]
    • tom1337 15 minutes ago
      just wait until they block Azure as well so the official La Liga site also stops working
  • utrack 2 hours ago
    They block the whole of Cloudflare R2, I believe the Docker hub is just (heh) a collateral.

    When the La Liga match starts, everything that's proxied via CF (including zero access reverse tunnels) stops working.

    There's even a website made for checking if the match is on: https://hayahora.futbol/

    You can check if your host is affected: https://hayahora.futbol/#comprobador&domain=docker-images-pr...

    [-]
    • mr_mitm 1 hour ago
      Why do they do that? Sorry, I don't speak Spanish.
      [-]
      • michaelt 15 minutes ago
        The football league would rather not have pirates livestream their ~90 minute games.

        Pirates would rather not be blocked, so they create a new, disposable website for every game. Any blocking must happen fast.

        Cloudflare would rather not block websites without a court order specifying the sites to be blocked.

        The courts would rather not create a special fast lane through the courts, just to resolve a squabble between two huge corporations.

      • quadrifoliate 1 hour ago
        Here's a good English-language article about it, with a timeline: https://daniel.es/blog/cloudflare-vs-la-liga/

        Looks like same old regulatory capture.

        [-]
      • lentil_soup 24 minutes ago
        to stop people pirating football streams while matches are on. Insanity
      • prmoustache 1 hour ago
        Because LaLiga and football in general is what is governing Spain really.
      • bakugo 1 hour ago
        The website has a language selector on the right just below the initial screen, just FYI.
      • ShowalkKama 1 hour ago
        to """"""""""prevent piracy""""""""""
  • jcalvinowens 5 minutes ago
    This is the moral equivalent of shutting the water off for a whole city because one dude's house has a leak. The harms to society clearly and obviously outweigh any possible benefits to society. But if that one dude has the power to shut it all off, and doesn't care...
  • torben-friis 5 minutes ago
    As a Spaniard, I would be very happy it cloudflare stops serving Spain. The situation is beyond stupid and I know without international pressure and shaming we're not getting rid of this abuse.
  • pjc50 1 hour ago
    This is why technology businesses and professionals need to take a little bit of an active role in local politics. Otherwise you get nonsense.
    [-]
    • DocTomoe 35 minutes ago
      That's an interesting euphenism for 'spend a massive amount of money on ~~corruption~~ lobbying',
      [-]
      • lentil_soup 20 minutes ago
        not necesarilly, any government will make decisions, if there's no one to speak up and inform them why the decision is stupid, like the one from LaLiga, then we end up in this situation
        [-]
        • afh1 8 minutes ago
          This is incredibly naive.
  • Jare 18 minutes ago
    It's a disgrace, but apparently all relevant forces still consider soccer the most important thing in the country.
  • sigio 2 hours ago
    Time to use a VPN in your docker pipelines ;) Or run your systems outside of Spain.

    Or can this be avoided by using an alternate DNS?

    [-]
    • darkwater 2 hours ago
      They are planning to also block VPN providers during football matches, see https://www.techradar.com/vpn/vpn-privacy-security/la-liga-w...
      [-]
      • prmoustache 1 hour ago
        When talking about VPNs, it doesn't have to mean "third party VPN". You can host your own on any VPN service outside of Spain.
        [-]
        • darkwater 1 hour ago
          Yes, but that's not something many can do easily. Also already having to use a VPN is not the "right" solution. The right so solution is to beat some sense inside some politician's head, and force them to write and approve laws that don't let stupid (or conniving) judges pass orders like this one we are talking about.
          [-]
          • prmoustache 35 minutes ago
            I agree it is not the right solution.

            But anyone who is pulling docker images in a sunday afternoon while the rest of the country is glued to their screen to watch a football game or enjoying a sunny sunday outside having beers and tapas and what not should be capable of setting up wireguard.

          • marginalia_nu 26 minutes ago
            Given the context of the HN audience, it's probably something you can do.
      • Mordisquitos 2 hours ago
        They are not "planning" to block VPNs. A technologically illiterate judge has ordered it, but there are no plans nor mechanisms to enforce it.
        [-]
        • darkwater 1 hour ago
          The exact same stupid mechanism they are already using. Forcing ISPs to blackhole whole subnets if they belong to the VPN provider ASN(s).
        • chrismustcode 1 hour ago
          If they can block IPs of cloudflare what extra mechanisms would be needed to block VPN IPs?
          [-]
          • chmod775 1 hour ago
            The only viable way to even get most of them is to shut down internet access entirely. It's not a realistic solution, unlike blocking a few well known IP ranges belonging to a large corp like Cloudflare.

            And even if you managed to get them all beforehand, some VPN providers will adapt and keep some servers in reserve, putting them online just as you managed to block the previous ones. Getting around internet censorship is a large chunk of their business, and some are really good at it.

          • mr-wendel 49 minutes ago
            It's a game. The VPN marketplace is huge so it's wack-a-mole.

            Big companies don't hide their VPN ASNs. Obscure, for sure, but getting a good list isn't hard. Usually they get blocked.

            Smaller companies may pass under the radar, and have higher tolerance for risky strategies.

            The fringe providers are the problem. They aggressively change IP ranges, front-vs-obscure ownership, and play dirty. Shady folks will resell residential ranges. End-users often get tainted goods.

            ... and you still have the collateral damage game when VPNs host infra with big cloud providers vs colofarms vs self-host, etc.

      • ufocia 1 hour ago
        "A _Sanish_ Court has ordered NordVPN and Proton VPN to block IPs transmitting illegal football streams" [emphasis added], that is inspain.
    • skgsergio 1 hour ago
      Alternate DNS doesn't help, they block at IP level.

      Yes, they block IPs belonging to CDNs (CF including R2, BunnyCDN, CDN77, Fastly, Alibaba, Akamai even)...

    • littlecranky67 1 hour ago
      It is not a DNS based block, but on the IP level. Once I knew what caused the issue, I figured I use one of my Hetzner vServers as an exit node in tailscale.

      But come on, this can't be true. I wonder how many other people in IT wasted hours on issues and tickets to find out it is due to a football match taking place. Admittedly, chances are low, as football matches are usually outside of office hours.

  • vaylian 2 hours ago
    This is a know issue and it is completely fucked up: https://www.techradar.com/vpn/vpn-privacy-security/cloudflar...

    What Spain does is basically censorship and it's very poorly executed. The docker image registry is only one out of the many collateral victims of this stupid law.

  • anthk 1 hour ago
    CF could just sue LaLiga and the judge as interrupting and intercepting telecomms it's a really serious crime in Spain. Call the AEPD too because of consumers' right against both ISP and LaLiga's snooping. Another huge fine.

    This is not an issue under the civil code (civilian issues), but something to be dealt under penal (criminal) code.

    In Spanish

    https://www.fiscal.es/memorias/memoria2020/FISCALIA_SITE/rec...

    Oh, and BTW, LaLiga has just partnered with a CF rival.

    Now CF can just sue both like hell because of unfair competition:

    https://nitter.tiekoetter.com/xataka/status/2042658662850724...

    [-]
  • renewiltord 7 minutes ago
    Not everything has to be about docker and tech, dude. Go buy a ticket to the game or go out and get a meal with your wife. Learn to enjoy life. Take siesta. Constantly debugging makes you sound American.
  • jimaek 2 hours ago
    Off topic but I wonder when Cloudflare is going to launch their own Docker registry as a product.
    [-]
    • ImJasonH 1 hour ago
      It's pretty easy to write your own. I made this one a while ago: https://github.com/chainguard-dev/crow-registry
    • wqtz 1 hour ago
      Well, Cloudflare does not launch anything. They acquire to build products. Look into all their recent product launches. They acquired a relatively small company and converted the founding team to a product team.

      So, if you want them to build stuff, ask yourself, are there any "Docker Registry" startups out there. If jsdelivr/globalping is not keeping you busy enough... there is an idea

      [-]
      • jimaek 1 hour ago
        Honestly I would build it if I knew how to properly market it to quickly get users.

        Globalping and jsDelivr took years to gain a meaningful user base

        [-]
        • wqtz 37 minutes ago
          I do not think that is the issue. The recent acquisitions from all these big tech companies did not have any "meaningful" user base to begin with.

          I think your name alone carries significant weight in the industry and you have built a very large community.

          If you even vibe code something with, you will get a stupid amount of money thrown at you and a contract that bounds your existing projects and the next 3-5 years to a particular company as project lead.

          Here is a list of acquisitions Cloudflare made recently: https://blog.cloudflare.com/tag/acquisitions/

          Most of these companies did not have a half dozen paying customer or even a fully fleshed-out product before they were acquired.

    • vaylian 2 hours ago
      What would the business case be?
      [-]
      • jimaek 2 hours ago
        Capture developers and funnel them to the Workers platform
  • ahachete 2 hours ago
    Yeah, I know. Welcome to the club :(

    https://x.com/ahachete/status/2035783292549755228

  • richwater 1 hour ago
    Spain is a failing country. Their economy is in shambles and the government has ceded internet control to a private corporation who runs football games.
    [-]
  • anthk 1 hour ago
    Yea, La Liga it's crapping out as always. Docker needs either some I2P gateway, or a Tor service.
  • mathfailure 2 hours ago
    Cloudflare is cancer. And the tumor is now too big.
    [-]
    • Cpoll 1 hour ago
      You've got it backwards. Spain's ISPs are blocking Cloudflare and other CDNs because of LaLiga/football piracy. CloudFlare isn't doing anything here.
      [-]
      • otterley 0 minutes ago
        I know this is an unpopular opinion among freedom maximalists, but:

        It’s precisely because CloudFlare isn’t responding fast enough to pirate origin sites that this mess exists. If they reacted quickly to remove configurations that are obviously facilitating copyright infringement, Spain wouldn’t resort to full scale ASN blocking.

        How do we know it’s CloudFlare? Because other CDNs like CloudFront, Akamai, Fastly, etc. respond to takedown demands and aren’t being blocked.

      • sph 1 hour ago
        You are correct, but Cloudflare is still a cancer on the Internet.
        [-]
        • petcat 1 hour ago
          Rampant bot traffic and scrapers are the real cancer. Until that goes away everyone is going to need cloudflare or some other bot firewall service.
          [-]
          • adrian_b 37 minutes ago
            Perhaps that is true, but the Cloudflare anti-bot protection is too stupid and annoying.

            They should have used a cookie or something else that does not require asking me every few minutes to prove once more that I am not a bot.

            There was a time when Cloudflare had become less intrusive, but for the last months it has begun again to intervene almost each time when opening some pages.

            There is no doubt that anti-bot protection can be implemented in a better way than Cloudflare does, but presumably the alternatives would consume more resources on their servers, so probably they choose whatever minimizes their costs, regardless if that ensures maximum discomfort for Internet users.

          • Duwensatzaj 39 minutes ago
            It won’t. Some people are perfectly happy to destroy and destroy as long as they get some small portion as profit for themselves.
      • jbxntuehineoh 50 minutes ago
        cf is failing to comply with Spanish law and as a result is being blocked in Spain
    • skgsergio 1 hour ago
      I can agree on how much power on the global traffic they have, but this blocks affect many other CDNs like Fastly, Akamai, CDN77, BunnyCDN, Alibaba...
    • petcat 1 hour ago
      Spain is mandating their ISPs block cloudflare to stop people from illegally streaming soccer games. Cloudflare isn't the one doing the blocking.
    • StrLght 1 hour ago
      You made a few typos in "LaLiga"
    • ufocia 1 hour ago
      How so?