Nuxt HN | Tell HN: docker pull fails in spain due to football cloudflare block

Tell HN: docker pull fails in spain due to football cloudflare block

I just spent 1h+ debugging why my locally-hosted gitlab runner would fail to create pipelines. The gitlab job output would just display weird TLS errors when trying to pull a docker images. After debugging gitlab and the runner, I realized after a while I could not even run "docker pull <image>" on my machine as root:

> error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com

First blaming tailscale, dns configuration and all other stuff. Until I just copied that above URL into my browser on my laptop, and received a website banner:

> El acceso a la presente dirección IP ha sido bloqueado en cumplimiento de lo dispuesto en la Sentencia de 18 de diciembre de 2024, dictada por el Juzgado de lo Mercantil nº 6 de Barcelona en el marco del procedimiento ordinario (Materia mercantil art. 249.1.4)-1005/2024-H instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital, S.L.U. https://www.laliga.com/noticias/nota-informativa-en-relacion-con-el-bloqueo-de-ips-durante-las-ultimas-jornadas-de-laliga-ea-sports-vinculadas-a-las-practicas-ilegales-de-cloudflare

For those non-spanish speakers: It means there is football match on, and during that time that specific host is blocked. This is just plain madness. I guess that means my gitlab pipelines will not run when football is on. Thank you, Spain.

103 points | by littlecranky67 2 hours ago

The real fix on your end until Spain sorts this out: set up a pull-through registry cache (e.g. registry:2 with proxy.remoteurl) on a VPS outside Spain, and point your Docker daemon's mirror config at it. Your GitLab runner pulls from the cache, the cache pulls from Docker Hub via a non-blocked IP. Also insulates you from Docker Hub rate limits. But yeah, the fact that a court order about football streaming can break docker pull for an entire country is genuinely absurd.

13 comments

mrvaibh 11 minutes ago

This is a great example of why blanket IP blocking is such a terrible enforcement mechanism. Cloudflare hosts hundreds of thousands of services behind shared IP ranges — blocking one IP to stop a piracy stream takes out everything else on that IP, including Docker registries, API endpoints, and CDNs that have nothing to do with football.

danirod 30 minutes ago
Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found".
Every response and comment from LaLiga, the football organization responsible for this, has been so far that this is a minor issue that only affects a few bunch of nerds who talk about "docker images" or "github repositories" or "whatever that means".
Meanwhile, there are testimonies of smart home devices like anti-theft alarms or automatic doors, that stop working whenever there is a football match, because their backends rely on Cloudflare.
Last week, a woman asked for help on social media, as the GPS tracking app she uses to see where her father with dementia is, went offline during a match. It was getting late and he still wasn't back home, and she couldn't locate the tag he was wearing to find him: https://www.infobae.com/america/agencias/2026/04/05/laliga-d...
It's hard to say this, because no one should experience an event like this, but as stressful as these are, it's the only way to make the mainstream people care about this censorship. "I cannot pull a docker image" will never be on nightly news, but safety and personal security is a more powerful driver for discourses.
[-]
- freetanga 9 minutes ago
  All people affected should file a complaint with your ISP and with Oficina de Atención al Usuario de Telecomunicaciones claiming financial loss for arbitrary service censorship.
utrack 1 hour ago
They block the whole of Cloudflare R2, I believe the Docker hub is just (heh) a collateral.
When the La Liga match starts, everything that's proxied via CF (including zero access reverse tunnels) stops working.
There's even a website made for checking if the match is on: https://hayahora.futbol/
You can check if your host is affected: https://hayahora.futbol/#comprobador&domain=docker-images-pr...
[-]
- mr_mitm 41 minutes ago
  Why do they do that? Sorry, I don't speak Spanish.
  [-]
  - quadrifoliate 28 minutes ago
    Here's a good English-language article about it, with a timeline: https://daniel.es/blog/cloudflare-vs-la-liga/
    Looks like same old regulatory capture.
  - prmoustache 12 minutes ago
    Because LaLiga and football in general is what is governing Spain really.
  - ShowalkKama 29 minutes ago
    to """"""""""prevent piracy""""""""""
pjc50 37 minutes ago
This is why technology businesses and professionals need to take a little bit of an active role in local politics. Otherwise you get nonsense.
sigio 1 hour ago
Time to use a VPN in your docker pipelines ;) Or run your systems outside of Spain.
Or can this be avoided by using an alternate DNS?
[-]
- darkwater 1 hour ago
  They are planning to also block VPN providers during football matches, see https://www.techradar.com/vpn/vpn-privacy-security/la-liga-w...
  [-]
  - prmoustache 20 minutes ago
    When talking about VPNs, it doesn't have to mean "third party VPN". You can host your own on any VPN service outside of Spain.
    [-]
    - darkwater 4 minutes ago
      Yes, but that's not something many can do easily. Also already having to use a VPN is not the "right" solution. The right so solution is to beat some sense inside some politician's head, and force them to write and approve laws that don't let stupid (or conniving) judges pass orders like this one we are talking about.
  - Mordisquitos 57 minutes ago
    They are not "planning" to block VPNs. A technologically illiterate judge has ordered it, but there are no plans nor mechanisms to enforce it.
    [-]
    - darkwater 8 minutes ago
      The exact same stupid mechanism they are already using. Forcing ISPs to blackhole whole subnets if they belong to the VPN provider ASN(s).
    - chrismustcode 37 minutes ago
      If they can block IPs of cloudflare what extra mechanisms would be needed to block VPN IPs?
      [-]
      - chmod775 28 minutes ago
        The only viable way to even get most of them is to shut down internet access entirely. It's not a realistic solution, unlike blocking a few well known IP ranges belonging to a large corp like Cloudflare.
        And even if you managed to get them all beforehand, some VPN providers will adapt and keep some servers in reserve, putting them online just as you managed to block the previous ones. Getting around internet censorship is a large chunk of their business, and some are really good at it.
  - ufocia 42 minutes ago
    "A _Sanish_ Court has ordered NordVPN and Proton VPN to block IPs transmitting illegal football streams" [emphasis added], that is inspain.
- skgsergio 38 minutes ago
  Alternate DNS doesn't help, they block at IP level.
  Yes, they block IPs belonging to CDNs (CF including R2, BunnyCDN, CDN77, Fastly, Alibaba, Akamai even)...
vaylian 1 hour ago
This is a know issue and it is completely fucked up: https://www.techradar.com/vpn/vpn-privacy-security/cloudflar...
What Spain does is basically censorship and it's very poorly executed. The docker image registry is only one out of the many collateral victims of this stupid law.
jimaek 1 hour ago
Off topic but I wonder when Cloudflare is going to launch their own Docker registry as a product.
[-]
- wqtz 18 minutes ago
  Well, Cloudflare does not launch anything. They acquire to build products. Look into all their recent product launches. They acquired a relatively small company and converted the founding team to a product team.
  So, if you want them to build stuff, ask yourself, are there any "Docker Registry" startups out there. If jsdelivr/globalping is not keeping you busy enough... there is an idea
  [-]
  - jimaek 0 minutes ago
    Honestly I would build it if I knew how to properly market it to quickly get users.
    Globalping and jsDelivr took years to gain a meaningful user base
- ImJasonH 44 minutes ago
  It's pretty easy to write your own. I made this one a while ago: https://github.com/chainguard-dev/crow-registry
- vaylian 1 hour ago
  What would the business case be?
  [-]
  - jimaek 1 hour ago
    Capture developers and funnel them to the Workers platform
richwater 6 minutes ago
Spain is a failing country. Their economy is in shambles and the government has ceded internet control to a private corporation who runs football games.
anthk 42 minutes ago
CF could just sue LaLiga and the judge as interrupting and intercepting telecomms it's a really serious crime in Spain. Call the AEPD too because of consumers' right against both ISP and LaLiga's snooping. Another huge fine.
This is not an issue under the civil code (civilian issues), but something to be dealt under penal (criminal) code.
In Spanish
https://www.fiscal.es/memorias/memoria2020/FISCALIA_SITE/rec...
Oh, and BTW, LaLiga has just partnered with a CF rival.
Now CF can just sue both like hell because of unfair competition:
https://nitter.tiekoetter.com/xataka/status/2042658662850724...
[-]
- quadrifoliate 24 minutes ago
  Looks like they already tried to appeal the block, and lost:
  https://x.com/jaumepons/status/1904906677335245294
- prmoustache 23 minutes ago
  I think they are doing it already.
anthk 46 minutes ago
Yea, La Liga it's crapping out as always. Docker needs either some I2P gateway, or a Tor service.
ahachete 1 hour ago
Yeah, I know. Welcome to the club :(
https://x.com/ahachete/status/2035783292549755228
mathfailure 56 minutes ago
Cloudflare is cancer. And the tumor is now too big.
[-]
- Cpoll 49 minutes ago
  You've got it backwards. Spain's ISPs are blocking Cloudflare and other CDNs because of LaLiga/football piracy. CloudFlare isn't doing anything here.
  [-]
  - sph 40 minutes ago
    You are correct, but Cloudflare is still a cancer on the Internet.
    [-]
    - petcat 33 minutes ago
      Rampant bot traffic and scrapers are the real cancer. Until that goes away everyone is going to need cloudflare or some other bot firewall service.
- skgsergio 35 minutes ago
  I can agree on how much power on the global traffic they have, but this blocks affect many other CDNs like Fastly, Akamai, CDN77, BunnyCDN, Alibaba...
- StrLght 37 minutes ago
  You made a few typos in "LaLiga"
- petcat 48 minutes ago
  Spain is mandating their ISPs block cloudflare to stop people from illegally streaming soccer games. Cloudflare isn't the one doing the blocking.
- ufocia 38 minutes ago
  How so?