Tell HN: docker pull fails in spain due to football cloudflare block

Posted by littlecranky67 10 hours ago

I just spent 1h+ debugging why my locally-hosted gitlab runner would fail to create pipelines. The gitlab job output would just display weird TLS errors when trying to pull a docker images. After debugging gitlab and the runner, I realized after a while I could not even run "docker pull <image>" on my machine as root:

> error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com

First blaming tailscale, dns configuration and all other stuff. Until I just copied that above URL into my browser on my laptop, and received a website banner:

> El acceso a la presente dirección IP ha sido bloqueado en cumplimiento de lo dispuesto en la Sentencia de 18 de diciembre de 2024, dictada por el Juzgado de lo Mercantil nº 6 de Barcelona en el marco del procedimiento ordinario (Materia mercantil art. 249.1.4)-1005/2024-H instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital, S.L.U. https://www.laliga.com/noticias/nota-informativa-en-relacion-con-el-bloqueo-de-ips-durante-las-ultimas-jornadas-de-laliga-ea-sports-vinculadas-a-las-practicas-ilegales-de-cloudflare

For those non-spanish speakers: It means there is football match on, and during that time that specific host is blocked. This is just plain madness. I guess that means my gitlab pipelines will not run when football is on. Thank you, Spain.

546 points | 219 commentspage 3

vaylian 9 hours ago|

This is a know issue and it is completely fucked up: https://www.techradar.com/vpn/vpn-privacy-security/cloudflar...

What Spain does is basically censorship and it's very poorly executed. The docker image registry is only one out of the many collateral victims of this stupid law.

embedding-shape 6 hours ago|

> What Spain does is basically censorship and it's very poorly executed

Basically? It is censorship, with huge collateral damage and regardless of how much we complain or share evidence that the blocks are actually financially harming us, no one seems to care as long as La Liga gets to freely block whatever hoster of websites as they wish.

ryandrake 5 hours ago||

It's just like the Great Firewall of China, except in service of football profits instead of political ideology. I don't know which one is dumber and more disgraceful.

embedding-shape 5 hours ago||

I wouldn't say "instead of", just "also", these "football blocks" are not the first cases of censorship of the internet in Spain.

womenonweb.org for example was inaccessible for years, just unblocked some years ago. During the latest Catalan independence referendum, the Spanish government blocked a bunch of websites, not the very least the official website of the referendum itself.

This is just one of the most recent cases, and so far the one with widest regular impact.

Jare 6 hours ago||

It's a disgrace, but apparently all relevant forces still consider soccer the most important thing in the country.

sigio 9 hours ago||

Time to use a VPN in your docker pipelines ;) Or run your systems outside of Spain.

Or can this be avoided by using an alternate DNS?

darkwater 8 hours ago||

They are planning to also block VPN providers during football matches, see https://www.techradar.com/vpn/vpn-privacy-security/la-liga-w...

Mordisquitos 8 hours ago|||

They are not "planning" to block VPNs. A technologically illiterate judge has ordered it, but there are no plans nor mechanisms to enforce it.

darkwater 7 hours ago|||

The exact same stupid mechanism they are already using. Forcing ISPs to blackhole whole subnets if they belong to the VPN provider ASN(s).

chrismustcode 8 hours ago|||

If they can block IPs of cloudflare what extra mechanisms would be needed to block VPN IPs?

chmod775 8 hours ago|||

The only viable way to even get most of them is to shut down internet access entirely. It's not a realistic solution, unlike blocking a few well known IP ranges belonging to a large corp like Cloudflare.

And even if you managed to get them all beforehand, some VPN providers will adapt and keep some servers in reserve, putting them online just as you managed to block the previous ones. Getting around internet censorship is a large chunk of their business, and some are really good at it.

echoangle 5 hours ago||

You don’t really need to block all, you just need to annoy the users enough that paying is easier. And I think there are enough games to use up the IP reserve pretty quickly and getting new ones every time is pretty annoying.

chmod775 2 hours ago||

I can provision a new VPS in about 5s of active work. I'd probably fully automate spinning up new servers and failing over because automatically detecting which got blocked is trivial. Bonus points if you use providers that let you attach multiple IPs to each VPS for cheap. Use some censorship resistant decentralized protocols to provide the next couple IPs to your client software and you're good.

And then they still need to monitor hundreds of VPN providers for whether they have new IPs, which is not neccssarily as easy as just grabbing a list of them. Once they have some, they then need to forward them to the ISPs and ask for them to be blocked. Their process is significantly less friendly to automation.

No country ever won this fight short of total shutdown/disconnects.

mr-wendel 7 hours ago|||

It's a game. The VPN marketplace is huge so it's wack-a-mole.

Big companies don't hide their VPN ASNs. Obscure, for sure, but getting a good list isn't hard. Usually they get blocked.

Smaller companies may pass under the radar, and have higher tolerance for risky strategies.

The fringe providers are the problem. They aggressively change IP ranges, front-vs-obscure ownership, and play dirty. Shady folks will resell residential ranges. End-users often get tainted goods.

... and you still have the collateral damage game when VPNs host infra with big cloud providers vs colofarms vs self-host, etc.

prmoustache 8 hours ago||||

When talking about VPNs, it doesn't have to mean "third party VPN". You can host your own on any VPN service outside of Spain.

darkwater 7 hours ago||

Yes, but that's not something many can do easily. Also already having to use a VPN is not the "right" solution. The right so solution is to beat some sense inside some politician's head, and force them to write and approve laws that don't let stupid (or conniving) judges pass orders like this one we are talking about.

prmoustache 7 hours ago|||

I agree it is not the right solution.

But anyone who is pulling docker images in a sunday afternoon while the rest of the country is glued to their screen to watch a football game or enjoying a sunny sunday outside having beers and tapas and what not should be capable of setting up wireguard.

marginalia_nu 7 hours ago||||

Given the context of the HN audience, it's probably something you can do.

msh 5 hours ago|||

It takes very light technical skills to deploy algo

ufocia 8 hours ago|||

"A _Sanish_ Court has ordered NordVPN and Proton VPN to block IPs transmitting illegal football streams" [emphasis added], that is inspain.

skgsergio 8 hours ago|||

Alternate DNS doesn't help, they block at IP level.

Yes, they block IPs belonging to CDNs (CF including R2, BunnyCDN, CDN77, Fastly, Alibaba, Akamai even)...

gred 4 hours ago|||

> run your systems outside of Spain

So much for digital sovereignty :-)

littlecranky67 7 hours ago||

It is not a DNS based block, but on the IP level. Once I knew what caused the issue, I figured I use one of my Hetzner vServers as an exit node in tailscale.

But come on, this can't be true. I wonder how many other people in IT wasted hours on issues and tickets to find out it is due to a football match taking place. Admittedly, chances are low, as football matches are usually outside of office hours.

Dibby053 5 hours ago||

Going to play devil's advocate here but I suspect if Cloudflare had been more cooperative about taking down illegal content, LaLiga would not have resorted to blanket blocking individual IPs.

I would really like to understand more about the process that they should follow but didn't / followed but didn't satisfy them / doesn't exist, in order to remove infringing websites quickly from CloudFlare.

integralid 2 hours ago||

I work with actually malicious content (things that make people lose their life savings) and Cloudflare abuse is relatively helpful (compared to most ISPs who just don't care).

They just refuse to take down random things that some media company representatives send their way, without a court order or any oversight. And this is a good thing.

JoshTriplett 3 hours ago|||

LaLiga wanted the right to tell Cloudflare to block specific sites without going through a court.

Cloudflare, rightfully, said that was ridiculous and unreasonable.

A Spanish court, wrongfully, decided to let LaLiga block all of Cloudflare.

lokar 3 hours ago||

They will take down anything you get a judge to agree with.

postepowanieadm 4 hours ago||

Why are you working instead of watching the match?

LtdJorge 4 hours ago||

Thankfully, Adamo hasn’t implemented the blockade yet (if ever).

thomasjudge 3 hours ago||

Could you bypass this with a VPN?

tossandthrow 3 hours ago|

Yes, and all of Spain is learning how to use VPNs

Magnets 6 hours ago||

BT used to block the entire streamable.com site during football matches

blurb4969 4 hours ago||

Welcome to the club, buddies! Here, in Russia, the government doesn't care about collateral damage at all when shutting down whole Internet in cities. They turn on white list mode, when only approved sites and IPs work. Businesses stop working and start losing money? They don't care. Important IT systems stop working? They don't care. People can't communicate with each other? Don't care. And seems like it will happen everywhere else. Sad to see the whole world goes down apart.

fc417fc802 3 hours ago|

I think perhaps there's a difference in expectations between wartime versus a country at peace going after pirates.

blurb4969 3 hours ago||

I wanted to say that Internet freedom dismantlement is a global trend.

fc417fc802 3 hours ago||

Fair enough, I completely agree. However in the case of Russia specifically, I understand that at one point Ukrainian drones were making routine use of mobile internet within the county. Temporary internet whitelists seem like a reasonable alternative to complete blackouts in that scenario. There are plenty of historic examples of malware using just about any communication platform for the C&C transport.

jimaek 8 hours ago|

Off topic but I wonder when Cloudflare is going to launch their own Docker registry as a product.

ImJasonH 8 hours ago||

It's pretty easy to write your own. I made this one a while ago: https://github.com/chainguard-dev/crow-registry

ai_slop_hater 6 hours ago|||

https://github.com/cloudflare/serverless-registry

jimaek 6 hours ago||

I've seen it but it's buggy and lacking in features. Feels like an afterthought instead of a real product

wqtz 8 hours ago|||

Well, Cloudflare does not launch anything. They acquire to build products. Look into all their recent product launches. They acquired a relatively small company and converted the founding team to a product team.

So, if you want them to build stuff, ask yourself, are there any "Docker Registry" startups out there. If jsdelivr/globalping is not keeping you busy enough... there is an idea

jimaek 7 hours ago||

Honestly I would build it if I knew how to properly market it to quickly get users.

Globalping and jsDelivr took years to gain a meaningful user base

wqtz 7 hours ago||

I do not think that is the issue. The recent acquisitions from all these big tech companies did not have any "meaningful" user base to begin with.

I think your name alone carries significant weight in the industry and you have built a very large community.

If you even vibe code something with, you will get a stupid amount of money thrown at you and a contract that bounds your existing projects and the next 3-5 years to a particular company as project lead.

Here is a list of acquisitions Cloudflare made recently: https://blog.cloudflare.com/tag/acquisitions/

Most of these companies did not have a half dozen paying customer or even a fully fleshed-out product before they were acquired.

jimaek 6 hours ago||

I wish I had as much faith in myself as you have in me :)

vaylian 8 hours ago||

What would the business case be?

jimaek 8 hours ago||

Capture developers and funnel them to the Workers platform

More comments...