Mastodawn

Tell HN: docker pull fails in spain due to football cloudflare block

I just spent 1h+ debugging why my locally-hosted gitlab runner would fail to create pipelines. The gitlab job output would just display weird TLS errors when trying to pull a docker images. After debugging gitlab and the runner, I realized after a while I could not even run "docker pull <image>" on my machine as root:

> error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com

First blaming tailscale, dns configuration and all other stuff. Until I just copied that above URL into my browser on my laptop, and received a website banner:

> El acceso a la presente dirección IP ha sido bloqueado en cumplimiento de lo dispuesto en la Sentencia de 18 de diciembre de 2024, dictada por el Juzgado de lo Mercantil nº 6 de Barcelona en el marco del procedimiento ordinario (Materia mercantil art. 249.1.4)-1005/2024-H instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital, S.L.U.
https://www.laliga.com/noticias/nota-informativa-en-relacion-con-el-bloqueo-de-ips-durante-las-ultimas-jornadas-de-laliga-ea-sports-vinculadas-a-las-practicas-ilegales-de-cloudflare

For those non-spanish speakers: It means there is football match on, and during that time that specific host is blocked. This is just plain madness. I guess that means my gitlab pipelines will not run when football is on. Thank you, Spain.

They block the whole of Cloudflare R2, I believe the Docker hub is just (heh) a collateral.

When the La Liga match starts, everything that's proxied via CF (including zero access reverse tunnels) stops working.

There's even a website made for checking if the match is on: https://hayahora.futbol/

You can check if your host is affected: https://hayahora.futbol/#comprobador&domain=docker-images-pr...

¿Hay ahora fútbol?

Real-time monitoring of LaLiga's IP blocks affecting Spanish internet users.

Why do they do that? Sorry, I don't speak Spanish.

quadrifoliate 3d ago

Here's a good English-language article about it, with a timeline: https://daniel.es/blog/cloudflare-vs-la-liga/

Looks like same old regulatory capture.

Football, Power, and Censorship: How La Liga Broke the Spanish Internet

La Liga’s aggressive anti-piracy campaign is causing widespread internet censorship in Spain — affecting businesses, developers, and major platforms like Vercel and Cloudflare

Daniel García

Also, a classic tweet from the Cloudflare CEO re their fight with Italians authorities re censorship:

https://xcancel.com/eastdakota/status/2009654937303896492

Everyone looks bad in this conflict.

Matthew Prince 🌥 (@eastdakota)

Yesterday a quasi-judicial body in Italy fined @Cloudflare $17 million for failing to go along with their scheme to censor the Internet. The scheme, which even the EU has called concerning, required us within a mere 30 minutes of notification to fully censor from the Internet any sites a shadowy cabal of European media elites deemed against their interests. No judicial oversight. No due process. No appeal. No transparency. It required us to not just remove customers, but also censor our 1.1.1.1 DNS resolver meaning it risked blacking out any site on the Internet. And it required us not just to censor the content in Italy but globally. In other words, Italy insists a shadowy, European media cabal should be able to dictate what is and is not allowed online. That, of course, is DISGUSTING and even before yesterday’s fine we had multiple legal challenges pending against the underlying scheme. We, of course, will now fight the unjust fine. Not just because it’s wrong for us but because it is wrong for democratic values. In addition, we are considering the following actions: 1) discontinuing the millions of dollars in pro bono cyber security services we are providing the upcoming Milano-Cortina Olympics; 2) discontinuing Cloudflare’s Free cyber security services for any Italy-based users; 3) removing all servers from Italian cities; and 4) terminating all plans to build an Italian Cloudflare office or make any investments in the country. Play stupid games, win stupid prizes. While there are things I would handle differently than the current U.S. administration, I appreciate @JDVance taking a leadership role in recognizing this type of regulation is a fundamental unfair trade issue that also threatens democratic values. And in this case @ElonMusk is right: #FreeSpeech is critical and under attack from an out-of-touch cabal of very disturbed European policy makers. I will be in DC first thing next week to discuss this with U.S. administration officials and I’ll be meeting with the IOC in Lausanne shortly after to outline the risk to the Olympic Games if @Cloudflare withdraws our cyber security protection. In the meantime, we remain happy to discuss this with Italian government officials who, so far, have been unwilling to engage beyond issuing fines. We believe Italy, like all countries, has a right to regulate the content on networks inside its borders. But they must do so following the Rule of Law and principles of Due Process. And Italy certainly has no right to regulate what is and is not allowed on the Internet in the United States, the United Kingdom, Canada, China, Brazil, India or anywhere outside its borders. THIS IS AN IMPORTANT FIGHT AND WE WILL WIN!!!

Nitter

prmoustache 3d ago

Because LaLiga and football in general is what is governing Spain really.

The website has a language selector on the right just below the initial screen, just FYI.

lentil_soup 3d ago

to stop people pirating football streams while matches are on. Insanity

michaelt 3d ago

The football league would rather not have pirates livestream their ~90 minute games.

Pirates would rather not be blocked, so they create a new, disposable website for every game. Any blocking must happen fast.

Cloudflare would rather not block websites without a court order specifying the sites to be blocked.

The courts would rather not create a special fast lane through the courts, just to resolve a squabble between two huge corporations.

> The football league would rather not have pirates livestream their ~90 minute games.

Funny enough, I work in IT and I've had to use a VPN to be able to do my job when soccer is on, but my two non-tech-savy family members that do watch soccer using pirate livestreams say that they've never had any issues with blocked streams.

But you must realize, the alternative to this is that some very wealthy Spanish companies ... lose a small amount of money.

Surely you understand now. Go about your business, poor person.

ryandrake 3d ago

They don't even "lose a small amount of money." They simply gain less money than usual for a short period of time. Think of how rough that is for them.

KAMSPioneer 3d ago

I work in IT and have found that the issue impacts my work but not my ability to stream sports from sites of questionable legality. Of course, I don't pirate La Liga matches but that's primarily because I don't give a shit about soccer.

But the point is that the measure does more to block legitimate use than illegitimate (in my experience). And next they want to go after VPNs. Wonderful.

fc417fc802 3d ago

But think of the children ... and futbol!

lentil_soup 3d ago

> Cloudflare would rather not block websites without a court order specifying the sites to be blocked.

why would they?

> squabble between two huge corporations

I think this is just LaLiga using it's cultural and economical power, don't think Cloudflare or the courts should be making exceptions just so they can control how people watch football

>why would they?

Plenty of companies proactively take action against shady users, even if not 100% required under law. Youtube has content id, social media companies have "community guidelines", and ISPs have AUPs.

> why would they?

Well, in this case, the alternative is all of Spain intermittently blocking lots of Cloudflare.

But if Cloudflare bows to Spain in this case, every jurisdiction will want to pile up lots of special case rules for Cloudflare to try and implement.

teaearlgraycold 3d ago

The US is captured by the Israeli lobby. Spain is captured by the football lobby.

Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found".

Every response and comment from LaLiga, the football organization responsible for this, has been so far that this is a minor issue that only affects a few bunch of nerds who talk about "docker images" or "github repositories" or "whatever that means".

Meanwhile, there are testimonies of smart home devices like anti-theft alarms or automatic doors, that stop working whenever there is a football match, because their backends rely on Cloudflare.

Last week, a woman asked for help on social media, as the GPS tracking app she uses to see where her father with dementia is, went offline during a match. It was getting late and he still wasn't back home, and she couldn't locate the tag he was wearing to find him: https://www.infobae.com/america/agencias/2026/04/05/laliga-d...

It's hard to say this, because no one should experience an event like this, but as stressful as these are, it's the only way to make the mainstream people care about this censorship. "I cannot pull a docker image" will never be on nightly news, but safety and personal security is a more powerful driver for discourses.

LaLiga desmiente que sus sistemas antipiratería hayan hecho fallar un dispositivo de localización personal

Un usuario denunció dificultades para rastrear a un familiar vulnerable, relacionando el incidente con bloqueos tecnológicos, pero la organización recalca que no hay pruebas que respalden esa acusación y rechaza cualquier vínculo con interrupciones de servicios legítimos

infobae

freetanga 3d ago

All people affected should file a complaint with your ISP and with Oficina de Atención al Usuario de Telecomunicaciones claiming financial loss for arbitrary service censorship.

Yep, flood them with complaints.

Sadly, it won't accomplish anything. La Liga seems to have enough political power in the country to bury all of that. Probably bribing everyone involved.

cluckindan 3d ago

Corruption at that level could mean organized crime. Is there a culture of betting through illegal bookies, are they fixing matches, or ¿porque no los dos?

dualvariable 3d ago

penalti para el real madrid!

loloquwowndueo 3d ago

It would be great if there was a webpage with clear instructions on how to do this, maybe fill out a few questions and get a printable pdf you can mail, or at least telling you how to file an online complaint. Making complaints very low friction will lead to more of those and perhaps more attention to the issue.

Snail mail uses up physical space so it might get more attention, it would be hilarious to see news reports of truckloads of complaint mail being dumped in front of the whatever office.

> Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found".

This is generally how the GFW works in China. Instead of an overbearing nanny like a school or corporation's DNS blocker, you're left with a sense that you're on a version of the Internet that is just intermittently and somewhat mysteriously broken.

And indeed, in China, a lot of things that probably aren't fully intended to be blocked are not reliably accessible. Implementation varies, so you get strange routing and peering issues. It feels like an Internet that isn't fully formed, that hasn't finished coming together yet.

Nation states and corporations obviously gain some things sometimes by having Internet censorship/blocking frameworks in place. Maybe, sometimes, ordinary people even benefit, too, if it helps shut down illegal and genuinely harmful businesses.

But it feels like the whole world is gradually trending towards more and more Internet censorship without realizing that we are un-building a miraculous thing that took enormous effort and cleverness and expense to build. I wish we could think about this not only in terms of freedom (and we absolutely should think about it in terms of freedom), but how we are disintegrating the infrastructure of communication and computing.

> a version of the Internet that is just intermittently and somewhat mysteriously broken.

That's actually just how the Internet is. Nothing to do with the great firewall.

RiverCrochet 3d ago

Your last paragraph: it is sad. But we had successful global networks before the Internet (the PSTN, telegraph) and we'll certainly have global networks after this at some point in human history. Perhaps in the the time between the Internet and what's next, the world will become a bit more mature about a few things.

mschuster91 3d ago

> But we had successful global networks before the Internet (the PSTN, telegraph)

These were ripe with espionage, wiretapping and sabotage. Access to it used to be highly restricted as well, up until the 90s for example you were only allowed to connect government-licensed modems to the German PSTN directly.

There was also no way for a normal person to easily and cheaply communicate with 20 million people in realtime.

the_gipsy 3d ago

It's ridiculous and wrong what LaLiga does. But it's also a weakeup call to consider ditching cloudflare's centralization.

estebank 3d ago

The companies relying on cloudflare won't be in Spain. If you buy a GPS tracker by a Canadian company, developed in India, manufactured in China, they are unlikely to know, even it they cared, that a single country that accounts for a tiny percentage of their sales breaks fundamental internet infrastructure on the regular "because fútbol y dinero".

And when purchasing a product, there's no "bill of materials" telling you about the services it relies on, beyond "internet connection" at best.

>fundamental internet infrastructure

I'm not saying this situation isn't bullshit, but the bigger problem is that CloudFlare is now "fundamental internet infrastructure". This is precisely the situation that the internet was designed to prevent.

Yesterday I got stuck in endless CloudFlare CAPTCHA's, trying to access theretroweb.com. I had to give up. Many such cases. I hate CloudFlare so much, it's unreal.

boredatoms 3d ago

Perhaps its time to put a VPN into all your CI jobs

tryauuum 3d ago

You can't fight political issues with clever technical solutions

psychoslave 3d ago

That's actually part of rebellion modus operandi, so totally something realistic. But not within the frame of law and not in the sweet position of someone away from the "I'll die for the just cause" mindset.

tryauuum 3d ago

can you rephrase your idea please. What's realistic, fighting stupid laws or corporations with a VPN? Yes, but not for long. They are always stronger than you, they can switch from blacklisting to whitelisting and your VPN becomes useless.

What is this "sweet position" you talk about?

psychoslave 3d ago

Sorry for being unclear.

I was trying to refer to an actual rebel position, which is actors which use illegal practices to achieve their goals agaisnt institutions in place. Which might have the cool attitude imagery attached to it, but which is certainly not an easy one in reality.

It depends on what the political system is trying to do.

A VPN won't help against government blanket outages, where the target is complete control of communications, and attempts to circumvent may result in extreme penalty. In this case, where the government policy is to stop unauthorized streaming, and collatoral damage is acceptable, a VPN hosted in a more favorable location is likely to work enough. Afaik, I don't think Spain has the political appetite to block VPNs and such during football matches.

You can still fight the political issue with political means, but in the mean time, you can also get work done.

logicchains 3d ago

You totally can, that's why bittorrent still exists and works fine.

fc417fc802 3d ago

That became a popular refrain at some point but the truth of it varies. In fact many political issues are brought about by technical changes so obviously the reverse must be possible as well.

What technical solutions can't change is the underlying social dynamics.

tobz1000 3d ago

> there are testimonies of smart home devices like anti-theft alarms or automatic doors, that stop working whenever [...] because their backends rely on Cloudflare.

The fault here lies 100% with horribly designed IoT devices that turn into bricks when they lose internet connection.

This is a great example of why blanket IP blocking is such a terrible enforcement mechanism. Cloudflare hosts hundreds of thousands of services behind shared IP ranges — blocking one IP to stop a piracy stream
takes out everything else on that IP, including Docker registries, API endpoints, and CDNs that have nothing to do with football.

  The real fix on your end until Spain sorts this out: set up a pull-through registry cache (e.g. registry:2 with proxy.remoteurl) on a VPS outside Spain, and point your Docker daemon's mirror config at it. Your
  GitLab runner pulls from the cache, the cache pulls from Docker Hub via a non-blocked IP. Also insulates you from Docker Hub rate limits.

But yeah, the fact that a court order about football streaming can break docker pull for an entire country is genuinely absurd.

just wait until they block Azure as well so the official La Liga site also stops working

jacquesm 3d ago

Hmmm. Don't they have a reporting form or something like that? Down with those filthy Azure pirates on IP 52.166.113.188.

littlecranky67 3d ago

I wondered how they actually managed to have their own business to be unencumbered by that. At a certain corporate level, you have to have some piece of tech in your portfolio that relies on cloudflare. I hope one day there companion or "2nd screen" apps stops working during a game, because using cloudflare.

Barring an Internet giant suing them in court, it really feels like this is unlikely to change as most just don’t understand the why or the effect.

Someone needs to write a heist movie set in Spain where a key part of the plan is they steal something while La Liga is blocking some key security route.

jesuslop 3d ago

Just to confirm it is true. This is LaLiga bringing down essential country-wide infrastructure on soccer hours if your internet access is through main ISPs.