Tell HN: docker pull fails in spain due to football cloudflare block

21 comments

• danirod 2 hours ago
  Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found".

  Every response and comment from LaLiga, the football organization responsible for this, has been so far that this is a minor issue that only affects a few bunch of nerds who talk about "docker images" or "github repositories" or "whatever that means".

  Meanwhile, there are testimonies of smart home devices like anti-theft alarms or automatic doors, that stop working whenever there is a football match, because their backends rely on Cloudflare.

  Last week, a woman asked for help on social media, as the GPS tracking app she uses to see where her father with dementia is, went offline during a match. It was getting late and he still wasn't back home, and she couldn't locate the tag he was wearing to find him: https://www.infobae.com/america/agencias/2026/04/05/laliga-d...

  It's hard to say this, because no one should experience an event like this, but as stressful as these are, it's the only way to make the mainstream people care about this censorship. "I cannot pull a docker image" will never be on nightly news, but safety and personal security is a more powerful driver for discourses.

  [-]
  • pxc 1 hour ago
    > Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found".

    This is generally how the GFW works in China. Instead of an overbearing nanny like a school or corporation's DNS blocker, you're left with a sense that you're on a version of the Internet that is just intermittently and somewhat mysteriously broken.

    And indeed, in China, a lot of things that probably aren't fully intended to be blocked are not reliably accessible. Implementation varies, so you get strange routing and peering issues. It feels like an Internet that isn't fully formed, that hasn't finished coming together yet.

    Nation states and corporations obviously gain some things sometimes by having Internet censorship/blocking frameworks in place. Maybe, sometimes, ordinary people even benefit, too, if it helps shut down illegal and genuinely harmful businesses.

    But it feels like the whole world is gradually trending towards more and more Internet censorship without realizing that we are un-building a miraculous thing that took enormous effort and cleverness and expense to build. I wish we could think about this not only in terms of freedom (and we absolutely should think about it in terms of freedom), but how we are disintegrating the infrastructure of communication and computing.
  • freetanga 1 hour ago
    All people affected should file a complaint with your ISP and with Oficina de Atención al Usuario de Telecomunicaciones claiming financial loss for arbitrary service censorship.
    [-]
    • embedding-shape 24 minutes ago
      I've been filing complaints since a year ago, told others to do the same too, nothing happens. There been moments I've meant to deploy fixes to issues but I cannot, because some tooling goes offline.

      I've claimed financial loss, claimed sanity loss and everything in-between, but I'm afraid unless something reaches the European/EU courts, Spain will continue to be in the pocket of the La Liga owners.

      Straight up fucking censorship with wide collateral being completely accepted in a Western country in 2026, beyond comprehension how this is allowed.

      [-]
      • lentil_soup 18 minutes ago
        how do you make claims, here: https://usuariosteleco.digital.gob.es/? Can't find a way of doing it with Cl@ve
        [-]
        • GranPC 6 minutes ago
          I think this is it: https://reg.redsara.es/#login
    • bakugo 1 hour ago
      Sadly, it won't accomplish anything. La Liga seems to have enough political power in the country to bury all of that. Probably bribing everyone involved.
      [-]
      • cluckindan 6 minutes ago
        Corruption at that level could mean organized crime. Is there a culture of betting through illegal bookies, are they fixing matches, or ¿porque no los dos?
    • pixl97 1 hour ago
      Yep, flood them with complaints.
  • the_gipsy 59 minutes ago
    It's ridiculous and wrong what LaLiga does. But it's also a weakeup call to consider ditching cloudflare's centralization.
    [-]
    • estebank 49 minutes ago
      The companies relying on cloudflare won't be in Spain. If you buy a GPS tracker by a Canadian company, developed in India, manufactured in China, they are unlikely to know, even it they cared, that a single country that accounts for a tiny percentage of their sales breaks fundamental internet infrastructure on the regular "because fútbol y dinero".

      And when purchasing a product, there's no "bill of materials" telling you about the services it relies on, beyond "internet connection" at best.

      [-]
      • encom 19 minutes ago
        >fundamental internet infrastructure

        I'm not saying this situation isn't bullshit, but the bigger problem is that CloudFlare is now "fundamental internet infrastructure". This is precisely the situation that the internet was designed to prevent.

        Yesterday I got stuck in endless CloudFlare CAPTCHA's, trying to access theretroweb.com. I had to give up. Many such cases. I hate CloudFlare so much, it's unreal.

        [-]
        • embedding-shape 12 minutes ago
          > This is precisely the situation that the internet was designed to prevent

          Right, but on the other hand, our constitution and laws are supposed to give us the rights to access a internet where for-profit companies cannot block entire companies who host websites, because a few bad websites are hosted there.

          Not to mention all us freelancers, contractors and just in general computing users, who sometimes want to continue working although 90% of the country is watching football, should be able to do so even if pirates use Cloudflare for shitty stuff.

          I agree that Cloudflare sucks, people should avoid defaulting to putting Cloudflare in front of absolutely everything they do and I too get stuck at the CAPTCHAs sometimes. But that doesn't remove the fact that Cloudflare, just like every other lawful company, should be allowed to be visited during La Liga matches.
  • boredatoms 13 minutes ago
    Perhaps its time to put a VPN into all your CI jobs
• giorgioz 0 minutes ago
  POSSIBLE FIX:

  I think changing your default DNS servers to Google 8.8.8.8 or Cloudflare 1.1.1.1 might bypass the spanish sunday ban on Cloudlflare.

  macOS + Cloudlfare 1.1.1.1 https://developers.cloudflare.com/1.1.1.1/setup/macos/

  Google 8.8.8.8 https://developers.google.com/speed/public-dns/docs/using
• mrvaibh 1 hour ago
  This is a great example of why blanket IP blocking is such a terrible enforcement mechanism. Cloudflare hosts hundreds of thousands of services behind shared IP ranges — blocking one IP to stop a piracy stream takes out everything else on that IP, including Docker registries, API endpoints, and CDNs that have nothing to do with football.

    The real fix on your end until Spain sorts this out: set up a pull-through registry cache (e.g. registry:2 with proxy.remoteurl) on a VPS outside Spain, and point your Docker daemon's mirror config at it. Your
    GitLab runner pulls from the cache, the cache pulls from Docker Hub via a non-blocked IP. Also insulates you from Docker Hub rate limits.
  
    But yeah, the fact that a court order about football streaming can break docker pull for an entire country is genuinely absurd.

  [-]
  • embedding-shape 21 minutes ago
    > This is a great example of why blanket IP blocking is such a terrible enforcement mechanism

    AFAIK, they're not doing "blanket IP blocking", they're intercepting requests based on DNS and IP, and try to serve their own certificates and their own content. Obviously, in most cases it fails, as the certificate doesn't match the site, so the browser rejects it, but as far as I can see and tell, there is no "blanket IP blocks", more like "DNS and IP interception".

    The difference doesn't really matter in practice, sucks regardless, but I thought I'd clarify for the ones who are not experiencing these blocks themselves at least.
  • tom1337 44 minutes ago
    just wait until they block Azure as well so the official La Liga site also stops working
• utrack 2 hours ago
  They block the whole of Cloudflare R2, I believe the Docker hub is just (heh) a collateral.

  When the La Liga match starts, everything that's proxied via CF (including zero access reverse tunnels) stops working.

  There's even a website made for checking if the match is on: https://hayahora.futbol/

  You can check if your host is affected: https://hayahora.futbol/#comprobador&domain=docker-images-pr...

  [-]
  • mr_mitm 2 hours ago
    Why do they do that? Sorry, I don't speak Spanish.
    [-]
    • michaelt 44 minutes ago
      The football league would rather not have pirates livestream their ~90 minute games.

      Pirates would rather not be blocked, so they create a new, disposable website for every game. Any blocking must happen fast.

      Cloudflare would rather not block websites without a court order specifying the sites to be blocked.

      The courts would rather not create a special fast lane through the courts, just to resolve a squabble between two huge corporations.

      [-]
      • lentil_soup 21 minutes ago
        > Cloudflare would rather not block websites without a court order specifying the sites to be blocked.

        why would they?

        > squabble between two huge corporations

        I think this is just LaLiga using it's cultural and economical power, don't think Cloudflare or the courts should be making exceptions just so they can control how people watch football

        [-]
        • gruez 3 minutes ago
          >why would they?

          Plenty of companies proactively take action against shady users, even if not 100% required under law. Youtube has content id, social media companies have "community guidelines", and ISPs have AUPs.
      • n6242 26 minutes ago
        > The football league would rather not have pirates livestream their ~90 minute games.

        Funny enough, I work in IT and I've had to use a VPN to be able to do my job when soccer is on, but my two non-tech-savy family members that do watch soccer using pirate livestreams say that they've never had any issues with blocked streams.

        [-]
        • spwa4 18 minutes ago
          But you must realize, the alternative to this is that some very wealthy Spanish companies ... lose a small amount of money.

          Surely you understand now. Go about your business, poor person.
    • quadrifoliate 2 hours ago
      Here's a good English-language article about it, with a timeline: https://daniel.es/blog/cloudflare-vs-la-liga/

      Looks like same old regulatory capture.

      [-]
      • maest 36 minutes ago
        Also, a classic tweet from the Cloudflare CEO re their fight with Italians authorities re censorship:

        https://xcancel.com/eastdakota/status/2009654937303896492

        Everyone looks bad in this conflict.

        [-]
        • post-it 27 minutes ago
          How does this make Matthew look bad?
          [-]
          • encom 11 minutes ago
            Matt acting like he's a free speech absolutist. Hilarious.
    • prmoustache 1 hour ago
      Because LaLiga and football in general is what is governing Spain really.
    • lentil_soup 53 minutes ago
      to stop people pirating football streams while matches are on. Insanity
    • bakugo 1 hour ago
      The website has a language selector on the right just below the initial screen, just FYI.
    • ShowalkKama 2 hours ago
      to """"""""""prevent piracy""""""""""
• jcalvinowens 34 minutes ago
  This is the moral equivalent of shutting the water off for a whole city because one dude's house has a leak. The harms to society clearly and obviously outweigh any possible benefits to society. But if that one dude has the power to shut it all off, and doesn't care...
• yangm97 5 minutes ago
  Maybe it’s time to reflect upon the reliance on centralized services? Not long ago docker hub started rate limiting access and we all turned to blanket solutions like the GitLab registry cache. I wonder if the IPFS distributed docker registry thing still exists/works.
• gchamonlive 4 minutes ago
  Here in Brazil sometimes my ISP goes into a weird state where I can't SSH into a remote machune. Got two ISP links here and still sometimes I need to resort to Mullvad to get stable internet
• torben-friis 34 minutes ago
  As a Spaniard, I would be very happy it cloudflare stops serving Spain. The situation is beyond stupid and I know without international pressure and shaming we're not getting rid of this abuse.
  [-]
  • littlecranky67 20 minutes ago
    They should at least do a single "awareness day" during which they block the same IPs and sites they are ordered by court, as if there was a football match on. Ideally with a 7 days public notice announcement. Probably won't happen though, as their contractual obligation won't allow for voluntary suspension of services.
• Magnets 4 minutes ago
  BT used to block the entire streamable.com site during football matches
• pjc50 2 hours ago
  This is why technology businesses and professionals need to take a little bit of an active role in local politics. Otherwise you get nonsense.
  [-]
  • DocTomoe 1 hour ago
    That's an interesting euphenism for 'spend a massive amount of money on ~~corruption~~ lobbying',
    [-]
    • lentil_soup 49 minutes ago
      not necesarilly, any government will make decisions, if there's no one to speak up and inform them why the decision is stupid, like the one from LaLiga, then we end up in this situation
      [-]
      • afh1 38 minutes ago
        This is incredibly naive.
        [-]
        • embedding-shape 10 minutes ago
          What? This is how governance and public opinion happen, at least in Spain. Government does something bad? Everyone out on the streets to complain, and calling politicians to change their mind.

          Sometimes it works, sometimes it does not, but doing nothing is never an option if you disagree with what they're doing. To think that doing nothing is better than something, that's incredibly naive.
        • lentil_soup 26 minutes ago
          ok, then what do you suggest? we don't get involved and decisions at the government level are made for us? I might be naive, but let's not be restrained by the cynicism of any involment in politics and governance is corruption
• Jare 47 minutes ago
  It's a disgrace, but apparently all relevant forces still consider soccer the most important thing in the country.
• sigio 3 hours ago
  Time to use a VPN in your docker pipelines ;) Or run your systems outside of Spain.

  Or can this be avoided by using an alternate DNS?

  [-]
  • darkwater 2 hours ago
    They are planning to also block VPN providers during football matches, see https://www.techradar.com/vpn/vpn-privacy-security/la-liga-w...
    [-]
    • prmoustache 1 hour ago
      When talking about VPNs, it doesn't have to mean "third party VPN". You can host your own on any VPN service outside of Spain.
      [-]
      • darkwater 1 hour ago
        Yes, but that's not something many can do easily. Also already having to use a VPN is not the "right" solution. The right so solution is to beat some sense inside some politician's head, and force them to write and approve laws that don't let stupid (or conniving) judges pass orders like this one we are talking about.
        [-]
        • prmoustache 1 hour ago
          I agree it is not the right solution.

          But anyone who is pulling docker images in a sunday afternoon while the rest of the country is glued to their screen to watch a football game or enjoying a sunny sunday outside having beers and tapas and what not should be capable of setting up wireguard.
        • marginalia_nu 55 minutes ago
          Given the context of the HN audience, it's probably something you can do.
    • Mordisquitos 2 hours ago
      They are not "planning" to block VPNs. A technologically illiterate judge has ordered it, but there are no plans nor mechanisms to enforce it.
      [-]
      • darkwater 1 hour ago
        The exact same stupid mechanism they are already using. Forcing ISPs to blackhole whole subnets if they belong to the VPN provider ASN(s).
      • chrismustcode 2 hours ago
        If they can block IPs of cloudflare what extra mechanisms would be needed to block VPN IPs?
        [-]
        • chmod775 2 hours ago
          The only viable way to even get most of them is to shut down internet access entirely. It's not a realistic solution, unlike blocking a few well known IP ranges belonging to a large corp like Cloudflare.

          And even if you managed to get them all beforehand, some VPN providers will adapt and keep some servers in reserve, putting them online just as you managed to block the previous ones. Getting around internet censorship is a large chunk of their business, and some are really good at it.
        • mr-wendel 1 hour ago
          It's a game. The VPN marketplace is huge so it's wack-a-mole.

          Big companies don't hide their VPN ASNs. Obscure, for sure, but getting a good list isn't hard. Usually they get blocked.

          Smaller companies may pass under the radar, and have higher tolerance for risky strategies.

          The fringe providers are the problem. They aggressively change IP ranges, front-vs-obscure ownership, and play dirty. Shady folks will resell residential ranges. End-users often get tainted goods.

          ... and you still have the collateral damage game when VPNs host infra with big cloud providers vs colofarms vs self-host, etc.
    • ufocia 2 hours ago
      "A _Sanish_ Court has ordered NordVPN and Proton VPN to block IPs transmitting illegal football streams" [emphasis added], that is inspain.
  • skgsergio 2 hours ago
    Alternate DNS doesn't help, they block at IP level.

    Yes, they block IPs belonging to CDNs (CF including R2, BunnyCDN, CDN77, Fastly, Alibaba, Akamai even)...
  • littlecranky67 1 hour ago
    It is not a DNS based block, but on the IP level. Once I knew what caused the issue, I figured I use one of my Hetzner vServers as an exit node in tailscale.

    But come on, this can't be true. I wonder how many other people in IT wasted hours on issues and tickets to find out it is due to a football match taking place. Admittedly, chances are low, as football matches are usually outside of office hours.
• vaylian 3 hours ago
  This is a know issue and it is completely fucked up: https://www.techradar.com/vpn/vpn-privacy-security/cloudflar...

  What Spain does is basically censorship and it's very poorly executed. The docker image registry is only one out of the many collateral victims of this stupid law.

  [-]
  • embedding-shape 19 minutes ago
    > What Spain does is basically censorship and it's very poorly executed

    Basically? It is censorship, with huge collateral damage and regardless of how much we complain or share evidence that the blocks are actually financially harming us, no one seems to care as long as La Liga gets to freely block whatever hoster of websites as they wish.
• anthk 2 hours ago
  CF could just sue LaLiga and the judge as interrupting and intercepting telecomms it's a really serious crime in Spain. Call the AEPD too because of consumers' right against both ISP and LaLiga's snooping. Another huge fine.

  This is not an issue under the civil code (civilian issues), but something to be dealt under penal (criminal) code.

  In Spanish

  https://www.fiscal.es/memorias/memoria2020/FISCALIA_SITE/rec...

  Oh, and BTW, LaLiga has just partnered with a CF rival.

  Now CF can just sue both like hell because of unfair competition:

  https://nitter.tiekoetter.com/xataka/status/2042658662850724...

  [-]
  • quadrifoliate 2 hours ago
    Looks like they already tried to appeal the block, and lost:

    https://x.com/jaumepons/status/1904906677335245294
  • prmoustache 2 hours ago
    I think they are doing it already.
• jimaek 2 hours ago
  Off topic but I wonder when Cloudflare is going to launch their own Docker registry as a product.
  [-]
  • ImJasonH 2 hours ago
    It's pretty easy to write your own. I made this one a while ago: https://github.com/chainguard-dev/crow-registry
  • wqtz 1 hour ago
    Well, Cloudflare does not launch anything. They acquire to build products. Look into all their recent product launches. They acquired a relatively small company and converted the founding team to a product team.

    So, if you want them to build stuff, ask yourself, are there any "Docker Registry" startups out there. If jsdelivr/globalping is not keeping you busy enough... there is an idea

    [-]
    • jimaek 1 hour ago
      Honestly I would build it if I knew how to properly market it to quickly get users.

      Globalping and jsDelivr took years to gain a meaningful user base

      [-]
      • wqtz 1 hour ago
        I do not think that is the issue. The recent acquisitions from all these big tech companies did not have any "meaningful" user base to begin with.

        I think your name alone carries significant weight in the industry and you have built a very large community.

        If you even vibe code something with, you will get a stupid amount of money thrown at you and a contract that bounds your existing projects and the next 3-5 years to a particular company as project lead.

        Here is a list of acquisitions Cloudflare made recently: https://blog.cloudflare.com/tag/acquisitions/

        Most of these companies did not have a half dozen paying customer or even a fully fleshed-out product before they were acquired.

        [-]
        • jimaek 29 minutes ago
          I wish I had as much faith in myself as you have in me :)
  • ai_slop_hater 28 minutes ago
    https://github.com/cloudflare/serverless-registry
    [-]
    • jimaek 26 minutes ago
      I've seen it but it's buggy and lacking in features. Feels like an afterthought instead of a real product
  • vaylian 2 hours ago
    What would the business case be?
    [-]
    • jimaek 2 hours ago
      Capture developers and funnel them to the Workers platform
• ahachete 2 hours ago
  Yeah, I know. Welcome to the club :(

  https://x.com/ahachete/status/2035783292549755228
• anthk 2 hours ago
  Yea, La Liga it's crapping out as always. Docker needs either some I2P gateway, or a Tor service.
• richwater 1 hour ago
  Spain is a failing country. Their economy is in shambles and the government has ceded internet control to a private corporation who runs football games.
  [-]
  • gruez 44 minutes ago
    >Their economy is in shambles

    But it's among the fastest growing in the EU? Granted, part of this is starting from a low base, but it's hardly "in shambles"

    https://data.worldbank.org/indicator/NY.GDP.PCAP.KD.ZG?locat...
  • embedding-shape 18 minutes ago
    Spain isn't a perfect country, I don't think any is. But the economy isn't in shambles, only someone who doesn't know what they're talking about would say anything like that. It does suck that La Liga can wield so much power, agree, but this is not related to the economy at all...
  • estebank 38 minutes ago
    To note that this isn't the executive or legislative but the judiciary doing the bidding.
• mathfailure 2 hours ago
  Cloudflare is cancer. And the tumor is now too big.
  [-]
  • Cpoll 2 hours ago
    You've got it backwards. Spain's ISPs are blocking Cloudflare and other CDNs because of LaLiga/football piracy. CloudFlare isn't doing anything here.
    [-]
    • sph 2 hours ago
      You are correct, but Cloudflare is still a cancer on the Internet.
      [-]
      • petcat 2 hours ago
        Rampant bot traffic and scrapers are the real cancer. Until that goes away everyone is going to need cloudflare or some other bot firewall service.
        [-]
        • adrian_b 1 hour ago
          Perhaps that is true, but the Cloudflare anti-bot protection is too stupid and annoying.

          They should have used a cookie or something else that does not require asking me every few minutes to prove once more that I am not a bot.

          There was a time when Cloudflare had become less intrusive, but for the last months it has begun again to intervene almost each time when opening some pages.

          There is no doubt that anti-bot protection can be implemented in a better way than Cloudflare does, but presumably the alternatives would consume more resources on their servers, so probably they choose whatever minimizes their costs, regardless if that ensures maximum discomfort for Internet users.

          [-]
          • post-it 18 minutes ago
            You're getting frequent verification requests because you're behaving like a bot. Are you modifying your user agent string or using a VPN?
            [-]
            • encom 6 minutes ago
              Who knows what upsets ClownFlare? I'm using Vivaldi on Linux on IPv6 in Denmark with every uBlock filter enabled and Cookie Auto-delete. That seems to confuse and anger CloudFlare and I get CAPTCHA tarpitted constantly.
        • Duwensatzaj 1 hour ago
          It won’t. Some people are perfectly happy to destroy and destroy as long as they get some small portion as profit for themselves.
          [-]
          • sph 12 minutes ago
            That, ironically, includes Cloudflare. Without rampant bots making the internet worse for everybody, they wouldn't have as much work. And their portion of profit is anything but small.
    • otterley 29 minutes ago
      I know this is an unpopular opinion among freedom maximalists, but:

      It’s precisely because CloudFlare isn’t responding like other CDNs to reasonable demands to cut off pirate origin sites that this mess exists. If they reacted quickly to remove configurations that are obviously facilitating copyright infringement, Spain wouldn’t resort to full scale ASN blocking.

      How do we know it’s CloudFlare? Because other CDNs like CloudFront, Akamai, Fastly, etc. respond to takedown demands and aren’t being blocked. (Those also cost money and require customer identification.)

      In an escalating war between the state and a corporation, the state will always prevail if they have the public’s backing. In Spain it’s clear that most people are happy to watch the match through legitimate channels even at the cost of blocking CloudFlare.
    • jbxntuehineoh 1 hour ago
      cf is failing to comply with Spanish law and as a result is being blocked in Spain
  • skgsergio 2 hours ago
    I can agree on how much power on the global traffic they have, but this blocks affect many other CDNs like Fastly, Akamai, CDN77, BunnyCDN, Alibaba...
  • petcat 2 hours ago
    Spain is mandating their ISPs block cloudflare to stop people from illegally streaming soccer games. Cloudflare isn't the one doing the blocking.
  • StrLght 2 hours ago
    You made a few typos in "LaLiga"
  • ufocia 2 hours ago
    How so?
• renewiltord 36 minutes ago
  Not everything has to be about docker and tech, dude. Go buy a ticket to the game or go out and get a meal with your wife. Learn to enjoy life. Take siesta. Constantly debugging makes you sound American.
  [-]
  • post-it 20 minutes ago
    It's not just docker and tech. Plenty of people depend on tools that use Cloudflare.
    [-]
    • renewiltord 7 minutes ago
      And when you are on your deathbed you will say “I wish I had spent more time on Cloudflare-based products”? I doubt it. No peer-reviewed research has shown people say that.
  • embedding-shape 17 minutes ago
    Telling someone what to do is even more American, let people do whatever they want, at the times they want, as long as they don't hurt others, this is the Spanish way.
    [-]
    • renewiltord 3 minutes ago
      Touché. Or should I say “me has tocado señor”. Probably not but it would be funny.
  • Synthetic7346 20 minutes ago
    This comment has some "you should smile more" energy
    [-]
    • renewiltord 6 minutes ago
      Smile more. Touch grease. Roll coal.