Tell HN: docker pull fails in spain due to football cloudflare block
137 points
2 hours ago
| 12 comments
| HN
I just spent 1h+ debugging why my locally-hosted gitlab runner would fail to create pipelines. The gitlab job output would just display weird TLS errors when trying to pull a docker images. After debugging gitlab and the runner, I realized after a while I could not even run "docker pull <image>" on my machine as root:

> error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com

First blaming tailscale, dns configuration and all other stuff. Until I just copied that above URL into my browser on my laptop, and received a website banner:

> El acceso a la presente dirección IP ha sido bloqueado en cumplimiento de lo dispuesto en la Sentencia de 18 de diciembre de 2024, dictada por el Juzgado de lo Mercantil nº 6 de Barcelona en el marco del procedimiento ordinario (Materia mercantil art. 249.1.4)-1005/2024-H instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital, S.L.U. https://www.laliga.com/noticias/nota-informativa-en-relacion-con-el-bloqueo-de-ips-durante-las-ultimas-jornadas-de-laliga-ea-sports-vinculadas-a-las-practicas-ilegales-de-cloudflare

For those non-spanish speakers: It means there is football match on, and during that time that specific host is blocked. This is just plain madness. I guess that means my gitlab pipelines will not run when football is on. Thank you, Spain.

danirod
55 minutes ago
[-]
Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found".

Every response and comment from LaLiga, the football organization responsible for this, has been so far that this is a minor issue that only affects a few bunch of nerds who talk about "docker images" or "github repositories" or "whatever that means".

Meanwhile, there are testimonies of smart home devices like anti-theft alarms or automatic doors, that stop working whenever there is a football match, because their backends rely on Cloudflare.

Last week, a woman asked for help on social media, as the GPS tracking app she uses to see where her father with dementia is, went offline during a match. It was getting late and he still wasn't back home, and she couldn't locate the tag he was wearing to find him: https://www.infobae.com/america/agencias/2026/04/05/laliga-d...

It's hard to say this, because no one should experience an event like this, but as stressful as these are, it's the only way to make the mainstream people care about this censorship. "I cannot pull a docker image" will never be on nightly news, but safety and personal security is a more powerful driver for discourses.

reply
freetanga
34 minutes ago
[-]
All people affected should file a complaint with your ISP and with Oficina de Atención al Usuario de Telecomunicaciones claiming financial loss for arbitrary service censorship.
reply
pixl97
5 minutes ago
[-]
Yep, flood them with complaints.
reply
bakugo
3 minutes ago
[-]
Sadly, it won't accomplish anything. La Liga seems to have enough political power in the country to bury all of that. Probably bribing everyone involved.
reply
mrvaibh
36 minutes ago
[-]
This is a great example of why blanket IP blocking is such a terrible enforcement mechanism. Cloudflare hosts hundreds of thousands of services behind shared IP ranges — blocking one IP to stop a piracy stream takes out everything else on that IP, including Docker registries, API endpoints, and CDNs that have nothing to do with football.

  The real fix on your end until Spain sorts this out: set up a pull-through registry cache (e.g. registry:2 with proxy.remoteurl) on a VPS outside Spain, and point your Docker daemon's mirror config at it. Your
  GitLab runner pulls from the cache, the cache pulls from Docker Hub via a non-blocked IP. Also insulates you from Docker Hub rate limits.

  But yeah, the fact that a court order about football streaming can break docker pull for an entire country is genuinely absurd.
reply
utrack
1 hour ago
[-]
They block the whole of Cloudflare R2, I believe the Docker hub is just (heh) a collateral.

When the La Liga match starts, everything that's proxied via CF (including zero access reverse tunnels) stops working.

There's even a website made for checking if the match is on: https://hayahora.futbol/

You can check if your host is affected: https://hayahora.futbol/#comprobador&domain=docker-images-pr...

reply
mr_mitm
1 hour ago
[-]
Why do they do that? Sorry, I don't speak Spanish.
reply
quadrifoliate
53 minutes ago
[-]
Here's a good English-language article about it, with a timeline: https://daniel.es/blog/cloudflare-vs-la-liga/

Looks like same old regulatory capture.

reply
prmoustache
37 minutes ago
[-]
Because LaLiga and football in general is what is governing Spain really.
reply
bakugo
17 minutes ago
[-]
The website has a language selector on the right just below the initial screen, just FYI.
reply
ShowalkKama
54 minutes ago
[-]
to """"""""""prevent piracy""""""""""
reply
pjc50
1 hour ago
[-]
This is why technology businesses and professionals need to take a little bit of an active role in local politics. Otherwise you get nonsense.
reply
sigio
1 hour ago
[-]
Time to use a VPN in your docker pipelines ;) Or run your systems outside of Spain.

Or can this be avoided by using an alternate DNS?

reply
darkwater
1 hour ago
[-]
They are planning to also block VPN providers during football matches, see https://www.techradar.com/vpn/vpn-privacy-security/la-liga-w...
reply
prmoustache
45 minutes ago
[-]
When talking about VPNs, it doesn't have to mean "third party VPN". You can host your own on any VPN service outside of Spain.
reply
darkwater
30 minutes ago
[-]
Yes, but that's not something many can do easily. Also already having to use a VPN is not the "right" solution. The right so solution is to beat some sense inside some politician's head, and force them to write and approve laws that don't let stupid (or conniving) judges pass orders like this one we are talking about.
reply
Mordisquitos
1 hour ago
[-]
They are not "planning" to block VPNs. A technologically illiterate judge has ordered it, but there are no plans nor mechanisms to enforce it.
reply
darkwater
33 minutes ago
[-]
The exact same stupid mechanism they are already using. Forcing ISPs to blackhole whole subnets if they belong to the VPN provider ASN(s).
reply
chrismustcode
1 hour ago
[-]
If they can block IPs of cloudflare what extra mechanisms would be needed to block VPN IPs?
reply
mr-wendel
6 minutes ago
[-]
It's a game. The VPN marketplace is huge so it's wack-a-mole.

Big companies don't hide their VPN ASNs. Obscure, for sure, but getting a good list isn't hard. Usually they get blocked.

Smaller companies may pass under the radar, and have higher tolerance for risky strategies.

The fringe providers are the problem. They aggressively change IP ranges, front-vs-obscure ownership, and play dirty. Shady folks will resell residential ranges. End-users often get tainted goods.

... and you still have the collateral damage game when VPNs host infra with big cloud providers vs colofarms vs self-host, etc.

reply
chmod775
53 minutes ago
[-]
The only viable way to even get most of them is to shut down internet access entirely. It's not a realistic solution, unlike blocking a few well known IP ranges belonging to a large corp like Cloudflare.

And even if you managed to get them all beforehand, some VPN providers will adapt and keep some servers in reserve, putting them online just as you managed to block the previous ones. Getting around internet censorship is a large chunk of their business, and some are really good at it.

reply
ufocia
1 hour ago
[-]
"A _Sanish_ Court has ordered NordVPN and Proton VPN to block IPs transmitting illegal football streams" [emphasis added], that is inspain.
reply
skgsergio
1 hour ago
[-]
Alternate DNS doesn't help, they block at IP level.

Yes, they block IPs belonging to CDNs (CF including R2, BunnyCDN, CDN77, Fastly, Alibaba, Akamai even)...

reply
littlecranky67
24 minutes ago
[-]
It is not a DNS based block, but on the IP level. Once I knew what caused the issue, I figured I use one of my Hetzner vServers as an exit node in tailscale.

But come on, this can't be true. I wonder how many other people in IT wasted hours on issues and tickets to find out it is due to a football match taking place. Admittedly, chances are low, as football matches are usually outside of office hours.

reply
vaylian
1 hour ago
[-]
This is a know issue and it is completely fucked up: https://www.techradar.com/vpn/vpn-privacy-security/cloudflar...

What Spain does is basically censorship and it's very poorly executed. The docker image registry is only one out of the many collateral victims of this stupid law.

reply
anthk
1 hour ago
[-]
CF could just sue LaLiga and the judge as interrupting and intercepting telecomms it's a really serious crime in Spain. Call the AEPD too because of consumers' right against both ISP and LaLiga's snooping. Another huge fine.

This is not an issue under the civil code (civilian issues), but something to be dealt under penal (criminal) code.

In Spanish

https://www.fiscal.es/memorias/memoria2020/FISCALIA_SITE/rec...

Oh, and BTW, LaLiga has just partnered with a CF rival.

Now CF can just sue both like hell because of unfair competition:

https://nitter.tiekoetter.com/xataka/status/2042658662850724...

reply
quadrifoliate
49 minutes ago
[-]
Looks like they already tried to appeal the block, and lost:

https://x.com/jaumepons/status/1904906677335245294

reply
prmoustache
48 minutes ago
[-]
I think they are doing it already.
reply
jimaek
1 hour ago
[-]
Off topic but I wonder when Cloudflare is going to launch their own Docker registry as a product.
reply
wqtz
43 minutes ago
[-]
Well, Cloudflare does not launch anything. They acquire to build products. Look into all their recent product launches. They acquired a relatively small company and converted the founding team to a product team.

So, if you want them to build stuff, ask yourself, are there any "Docker Registry" startups out there. If jsdelivr/globalping is not keeping you busy enough... there is an idea

reply
jimaek
26 minutes ago
[-]
Honestly I would build it if I knew how to properly market it to quickly get users.

Globalping and jsDelivr took years to gain a meaningful user base

reply
ImJasonH
1 hour ago
[-]
It's pretty easy to write your own. I made this one a while ago: https://github.com/chainguard-dev/crow-registry
reply
vaylian
1 hour ago
[-]
What would the business case be?
reply
jimaek
1 hour ago
[-]
Capture developers and funnel them to the Workers platform
reply
richwater
31 minutes ago
[-]
Spain is a failing country. Their economy is in shambles and the government has ceded internet control to a private corporation who runs football games.
reply
ahachete
1 hour ago
[-]
Yeah, I know. Welcome to the club :(

https://x.com/ahachete/status/2035783292549755228

reply
anthk
1 hour ago
[-]
Yea, La Liga it's crapping out as always. Docker needs either some I2P gateway, or a Tor service.
reply
mathfailure
1 hour ago
[-]
Cloudflare is cancer. And the tumor is now too big.
reply
Cpoll
1 hour ago
[-]
You've got it backwards. Spain's ISPs are blocking Cloudflare and other CDNs because of LaLiga/football piracy. CloudFlare isn't doing anything here.
reply
jbxntuehineoh
7 minutes ago
[-]
cf is failing to comply with Spanish law and as a result is being blocked in Spain
reply
sph
1 hour ago
[-]
You are correct, but Cloudflare is still a cancer on the Internet.
reply
petcat
58 minutes ago
[-]
Rampant bot traffic and scrapers are the real cancer. Until that goes away everyone is going to need cloudflare or some other bot firewall service.
reply
skgsergio
1 hour ago
[-]
I can agree on how much power on the global traffic they have, but this blocks affect many other CDNs like Fastly, Akamai, CDN77, BunnyCDN, Alibaba...
reply
petcat
1 hour ago
[-]
Spain is mandating their ISPs block cloudflare to stop people from illegally streaming soccer games. Cloudflare isn't the one doing the blocking.
reply
StrLght
1 hour ago
[-]
You made a few typos in "LaLiga"
reply
ufocia
1 hour ago
[-]
How so?
reply