Tell HN: Docker pull fails in Spain due to football Cloudflare block

Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found".

Every response and comment from LaLiga, the football organization responsible for this, has been so far that this is a minor issue that only affects a few bunch of nerds who talk about "docker images" or "github repositories" or "whatever that means".

Meanwhile, there are testimonies of smart home devices like anti-theft alarms or automatic doors, that stop working whenever there is a football match, because their backends rely on Cloudflare.

Last week, a woman asked for help on social media, as the GPS tracking app she uses to see where her father with dementia is, went offline during a match. It was getting late and he still wasn't back home, and she couldn't locate the tag he was wearing to find him: https://www.infobae.com/america/agencias/2026/04/05/laliga-d...

It's hard to say this, because no one should experience an event like this, but as stressful as these are, it's the only way to make the mainstream people care about this censorship. "I cannot pull a docker image" will never be on nightly news, but safety and personal security is a more powerful driver for discourses.

They block the whole of Cloudflare R2, I believe the Docker hub is just (heh) a collateral.

When the La Liga match starts, everything that's proxied via CF (including zero access reverse tunnels) stops working.

There's even a website made for checking if the match is on: https://hayahora.futbol/

You can check if your host is affected: https://hayahora.futbol/#comprobador&domain=docker-images-pr...

Reading this from India, where stuff like this is pretty much Tuesday business. But that’s not the problem; the problem is precisely the one hour of your life spent trying to figure out whether the issue is your DNS, your VPN, your configuration, or your programming. “The government in the country I’m accessing this from just decided to shut down my IP for the next two hours” rarely crosses your mind.

India has consistently been at the top of the number of Internet blackouts anywhere in the world for years (Access Now keeps track of this through its KeepItOn project). These tend to be brief and localized, triggered by something as mundane as an exam or protest or local incident. It’s such a routine occurrence here that there’s even a reflexive response: mobile data works differently from other connectivity types, so go with that, try new DNS settings, rely on Telegram instead of WhatsApp when the latter fails you, and always have a list of mirrors.

What’s fascinating about this case is that it’s identical except for who is pressing the button LaLiga, a privately owned entity, in place of the government.

This is a great example of why blanket IP blocking is such a terrible enforcement mechanism. Cloudflare hosts hundreds of thousands of services behind shared IP ranges — blocking one IP to stop a piracy stream takes out everything else on that IP, including Docker registries, API endpoints, and CDNs that have nothing to do with football.

  The real fix on your end until Spain sorts this out: set up a pull-through registry cache (e.g. registry:2 with proxy.remoteurl) on a VPS outside Spain, and point your Docker daemon's mirror config at it. Your
  GitLab runner pulls from the cache, the cache pulls from Docker Hub via a non-blocked IP. Also insulates you from Docker Hub rate limits.

  But yeah, the fact that a court order about football streaming can break docker pull for an entire country is genuinely absurd.

Barring an Internet giant suing them in court, it really feels like this is unlikely to change as most just don’t understand the why or the effect.

Someone needs to write a heist movie set in Spain where a key part of the plan is they steal something while La Liga is blocking some key security route.

This is the moral equivalent of shutting the water off for a whole city because one dude's house has a leak. The harms to society clearly and obviously outweigh any possible benefits to society. But if that one dude has the power to shut it all off, and doesn't care...

This behavior of blocking some domains and IP ranges during LaLiga games has become a routine by now. You might also want to check these similar submissions:

My game's server is blocked in Spain whenever there's a football match on: https://news.ycombinator.com/item?id=45358433

Spain’s LaLiga has blocked access to freedom.gov: https://news.ycombinator.com/item?id=47114235

Very good example as to why using a single, centralised proxy globally by all services is a bad idea. Docker would never have a reason to block anything if they were simply running their own.

For everyone else, small and big, this is the weekly reminder to not use Cloudflare for user-facing access to anything.

This is far from the first time that I see on HN indignation on LaLiga blockings. Sadly all this rage does not seem to lead to any change.

I'd like to suggest some steps that might/should be followed, which I will not pursue personally but in my defense - I do not live in Spain and not affected.

1) (first! low-effort) Somebody should create any space on the internet, where such anecdotes might shared and probably people with common goals of fixing internet access in Spain will meet. E.g. telegram group, discord channel, subreddit...

2) probably create wiki with related research: legal framework and possible actions etc

3) Raise public awareness. Create a resource/website with schedule of past and future "semi-blackouts", simple explanation of possible effects a layman may notice etc

4) Explore legal actions that might be taken. How this issue might be forced to be discussed by politicians? For instance I know that Portugal has official mechanism to put forward petitions, that will be discussed in parliament if get enough votes [1]

Space of possible demands in such petitions is vast. For instance:

- Make LaLiga compensate partly price of internet access

- Force LaLiga to include education notice in the beginning and the of translation with title like "Start of reduced internet connectivity" / "End of reduced internet connectivity"

[1] https://participacao.parlamento.pt/initiatives/

As a Spaniard, I would be very happy it cloudflare stops serving Spain. The situation is beyond stupid and I know without international pressure and shaming we're not getting rid of this abuse.

As a Spaniard, this also happens to me. You can either use a VPN or just switch DNS servers to one that doesn’t have anycast nodes in Spain.

Cloudflare’s authoritative DNS uses EDNS Client Subnet (ECS) to return different IP pools based on where the query originates. Spanish resolvers get IPs from a range that La Liga blocks. If your recursive resolver is physically outside Spain (or you use DoH/DoT to tunnel to one), Cloudflare returns a different, unblocked pool.

AdGuard DNS works well for this.

This is inexcusable. Just because sports right holders are worried about piracy doesn’t give them license to break normal internet operations. Spain, get your act together and put your equivalent of the content cartel in the penalty box.

This is why technology businesses and professionals need to take a little bit of an active role in local politics. Otherwise you get nonsense.

It appears Cloudflare is responding to a legal requirement to implement this IP blocking.

https://www.techradar.com/vpn/vpn-privacy-security/cloudflar...

I wasn't able to pull some images and I lost 1h trying to diagnose network problems in my setup, but it didn't occur to me that "la liga" was the root cause . My workaround was to add "registry-mirrors": ["https://mirror.gcr.io"] in my /etc/docker/daemon.json

Yea, when there's a match, our app stops playing videos in Spain and we get some bad reviews. It's pretty annoying.

Last weekend happened as well :/

https://news.ycombinator.com/item?id=47480926

The situation every weekend is getting worse and worse. Honestly, I cannot understand how any goverment who wants freedom for its citizens can allow to block internet access to a whole country only because a private football company asks for it. I guess LaLiga is the 4th statement in Spain...

A probably will get even worse the situation with Fastly entering the equation: https://www.fastly.com/press/press-releases/fastly-and-lalig...

Hah. I have had to use a US-based VPN to access GitHub pretty much every weekend lately. La Liga's efforts to curb pirate TV streams are basically undermining the internet itself at this point.

This is also not new behaviour - Theo posted a YouTube about it nearly a year ago[1].

[1]: https://www.youtube.com/watch?v=1-geGEYEw7g

Interesting alternative. Cloudflare (market cap $58B) buys La liga (market value $5 billion), drops suit.

Maybe it’s time to reflect upon the reliance on centralized services? Not long ago docker hub started rate limiting access and we all turned to blanket solutions like the GitLab registry cache. I wonder if the IPFS distributed docker registry thing still exists/works.

[Meta comment]

Humankind is not doing well with implementing new policies. We should really strive for each new policy (like in this case - blocking access to some parts of internet during soccer games):

- Consider running policy in small scale scenario (e.g. testing blocking in small parts of Spain before whole country rollout)

- Implement channels to gather info from those who are faced with results of policy implementation (in this case: the op got webpage with description why the page is blocked - a bit of sanity! It would be better if it was served with HTTP code 451)

- Policy instructions

- When deciding on policy put a date at which policy should be reconsidered and revised using data collected during the time when it was in effect

- ... and some more I have not thought about.

Let's strive to cultivate this principles in all life areas where we can affect how new policies are implemented.

(edit: linebreaks)

> instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital,

(The trial was initiated by LaLiga and Telefonica...).

"Telefonica" is the (exclusive) distributor for the rights of streaming the matches, and is only (of course?) the main consumer (and business) Telco in Spain: they are in a game they cannot lose. This is such an abuse and no government (this, past, whichever) has done anything about it.

Here in Brazil sometimes my ISP goes into a weird state where I can't SSH into a remote machune. Got two ISP links here and still sometimes I need to resort to Mullvad to get stable internet

I am walking the Camino de Santiago now, and there were piligrims complaining about random issues with their phones, e.g. an elderly German lady was totally lost as her Google Maps was not working, so we got to an albergue, asked for wi-fi and downloaded CoMaps on her phone.

LOL this is so hilarious, blocking a portion of a web infra for a football match

I had to Google why this happens, blocking cloudflare during football games seems.. Arbitrary, to say the least. Maybe something to do with hooligans trashing entire cities when their team loses? I could almost get behind that, if I thought it would work..

But no, it's apparently to stop piracy!? Turning off half the internet, and mostly the legitimate parts at that (since when do pirates use cloudflare?) seems like probably the worst method to go about it.

Someone ought to start streaming those games illegally without using cloudflare just to demonstrate how stupid this policy is

I'm in Spain as well and it sucks a lot. What I do now is I go thorough Cloudflare 1.1.1.1 VPN (set up on my router). Fixes the issue and there is practically no latency or bandwidth impact.

It's a disgrace, but apparently all relevant forces still consider soccer the most important thing in the country.

The government really needs to step in, it's surprising that the PSOE and Sumar have allowed private companies to block so much of the internet.

This is a know issue and it is completely fucked up: https://www.techradar.com/vpn/vpn-privacy-security/cloudflar...

What Spain does is basically censorship and it's very poorly executed. The docker image registry is only one out of the many collateral victims of this stupid law.

Why are you working instead of watching the match?

Time to use a VPN in your docker pipelines ;) Or run your systems outside of Spain.

Or can this be avoided by using an alternate DNS?

What's the current state of the art for VPN'ing through deep packet inspection firewalls? I have imagined building something around TLS and Websockets that connects to a popular cloud provider which is "too big to block". Of course, if they'll block Cloudflare, or all connections outside of the country, maybe _nothing_ is too big to block. I remember some solutions to this in the 2010s, like obfsproxy and shadowsocks, but are there any newer or better options?

POSSIBLE FIX:

I think changing your default DNS servers to Google 8.8.8.8 or Cloudflare 1.1.1.1 might bypass the spanish sunday ban on Cloudlflare.

macOS + Cloudlfare 1.1.1.1 https://developers.cloudflare.com/1.1.1.1/setup/macos/

Google 8.8.8.8 https://developers.google.com/speed/public-dns/docs/using

Just to confirm it is true. This is LaLiga bringing down essential country-wide infrastructure on soccer hours if your internet access is through main ISPs.

Going to play devil's advocate here but I suspect if Cloudflare had been more cooperative about taking down illegal content, LaLiga would not have resorted to blanket blocking individual IPs.

I would really like to understand more about the process that they should follow but didn't / followed but didn't satisfy them / doesn't exist, in order to remove infringing websites quickly from CloudFlare.

Is it exclusively football or do they try to fight piracy this way for some other major streaming events? I am just curious, because it's just comical to go this far over some dumb ball-game.

I don't even like televised sport but this makes me want to figure out how to pirate it at scale

Ah, so that's why my site is "down" there:

https://hayahora.futbol/#sobre-los-bloqueos&domain=taoofmac....

They're blocking the CDN too, not just R2.

Companies should start suing La Liga for danaged please

The Internet was originally designed to survive a nuclear war. Now we downgraded it deliberately to not survive a football game.

Decentralised infrastructure: good

Centralised infrastructure: bad

Good and bad for you, of course. For the big companies selling and controlling this stuff, it's vice versa.

Just stay alert and don't chain yourself with big tech dependencies. The reason Git is great is its decentralised nature. If you got so far, why cripple yourself by running your traffic through a single American company like Cloudflare?

How timely. I was just moving off Github to self-hosted docker registries.

How is this cloudflares problem? This is on LaLiga.

Thats crazy

This is exactly why random corporations need to be gone from government. Or copyright needs to be abolished, one of the two. No corporation (no matter how beloved) should ever have this kind of power. IMO the more powerful an organization becomes, the deeper the scrutiny should be.

Just use Nix.

1. If nix fails to pull anything, it builds (up to and including Linux kernel and compiler).

2. Nix has several ways to build OCI images, some even faster to assemble and slimmer output of official Docker tooling.

3. It is allowed several providers for same artefact to resolve pull.

I found out about this a month ago when a confused Spanish user showed me all downloads on https://apkmirror.com (powered by Cloudflare R2) are blocked in Spain during LaLiga soccer matches https://x.com/i/status/2030361569691898237. It was so idiotic, I couldn't believe it. Glad it's getting more attention now.

Welcome to the club, buddies! Here, in Russia, the government doesn't care about collateral damage at all when shutting down whole Internet in cities. They turn on white list mode, when only approved sites and IPs work. Businesses stop working and start losing money? They don't care. Important IT systems stop working? They don't care. People can't communicate with each other? Don't care. And seems like it will happen everywhere else. Sad to see the whole world goes down apart.