Tell HN: Docker pull fails in Spain due to football Cloudflare block

Posted by littlecranky67 14 hours ago

I just spent 1h+ debugging why my locally-hosted gitlab runner would fail to create pipelines. The gitlab job output would just display weird TLS errors when trying to pull a docker images. After debugging gitlab and the runner, I realized after a while I could not even run "docker pull <image>" on my machine as root:

> error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com

First blaming tailscale, dns configuration and all other stuff. Until I just copied that above URL into my browser on my laptop, and received a website banner:

> El acceso a la presente dirección IP ha sido bloqueado en cumplimiento de lo dispuesto en la Sentencia de 18 de diciembre de 2024, dictada por el Juzgado de lo Mercantil nº 6 de Barcelona en el marco del procedimiento ordinario (Materia mercantil art. 249.1.4)-1005/2024-H instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital, S.L.U. https://www.laliga.com/noticias/nota-informativa-en-relacion-con-el-bloqueo-de-ips-durante-las-ultimas-jornadas-de-laliga-ea-sports-vinculadas-a-las-practicas-ilegales-de-cloudflare

For those non-spanish speakers: It means there is football match on, and during that time that specific host is blocked. This is just plain madness. I guess that means my gitlab pipelines will not run when football is on. Thank you, Spain.

670 points | 260 commentspage 6

r2vcap 6 hours ago|

[dead]

PocketBot 9 hours ago||

[dead]

lordmoma 10 hours ago||

[dead]

renewiltord 11 hours ago||

[flagged]

post-it 11 hours ago||

It's not just docker and tech. Plenty of people depend on tools that use Cloudflare.

renewiltord 10 hours ago||

And when you are on your deathbed you will say “I wish I had spent more time on Cloudflare-based products”? I doubt it. No peer-reviewed research has shown people say that.

embedding-shape 10 hours ago|||

Telling someone what to do is even more American, let people do whatever they want, at the times they want, as long as they don't hurt others, this is the Spanish way.

renewiltord 10 hours ago||

Touché. Or should I say “me has tocado señor”. Probably not but it would be funny.

Synthetic7346 11 hours ago||

This comment has some "you should smile more" energy

renewiltord 10 hours ago||

Smile more. Touch grease. Roll coal.

mathfailure 13 hours ago|

Cloudflare is cancer. And the tumor is now too big.

Cpoll 13 hours ago||

You've got it backwards. Spain's ISPs are blocking Cloudflare and other CDNs because of LaLiga/football piracy. CloudFlare isn't doing anything here.

sph 12 hours ago|||

You are correct, but Cloudflare is still a cancer on the Internet.

petcat 12 hours ago||

Rampant bot traffic and scrapers are the real cancer. Until that goes away everyone is going to need cloudflare or some other bot firewall service.

adrian_b 11 hours ago|||

Perhaps that is true, but the Cloudflare anti-bot protection is too stupid and annoying.

They should have used a cookie or something else that does not require asking me every few minutes to prove once more that I am not a bot.

There was a time when Cloudflare had become less intrusive, but for the last months it has begun again to intervene almost each time when opening some pages.

There is no doubt that anti-bot protection can be implemented in a better way than Cloudflare does, but presumably the alternatives would consume more resources on their servers, so probably they choose whatever minimizes their costs, regardless if that ensures maximum discomfort for Internet users.

post-it 10 hours ago||

You're getting frequent verification requests because you're behaving like a bot. Are you modifying your user agent string or using a VPN?

encom 10 hours ago||

Who knows what upsets ClownFlare? I'm using Vivaldi on Linux on IPv6 in Denmark with every uBlock filter enabled and Cookie Auto-delete. That seems to confuse and anger CloudFlare and I get CAPTCHA tarpitted constantly.

post-it 9 hours ago|||

> They should have used a cookie or something else that does not require asking me every few minutes to prove once more that I am not a bot.

> every uBlock filter enabled and Cookie Auto-delete

Hmm

bethekidyouwant 10 hours ago|||

So you know why.

encom 9 hours ago||

No, it could be any, or other, totally normal and reasonable factors. Or maybe I posted too much Cloudflare hate on HN and they singled me out.

They're in the walls!

  NO CARRIER
  +CREG: 0,0

fc417fc802 7 hours ago||||

Those are easy enough to dissuade with readily available PoW solutions. People use CF & co. out of convenience, the exact same reason that most websites load resources from at least half a dozen third parties instead of self hosting.

Duwensatzaj 11 hours ago|||

It won’t. Some people are perfectly happy to destroy and destroy as long as they get some small portion as profit for themselves.

sph 10 hours ago||

That, ironically, includes Cloudflare. Without rampant bots making the internet worse for everybody, they wouldn't have as much work. And their portion of profit is anything but small.

otterley 11 hours ago||||

I know this is an unpopular opinion among freedom maximalists, but:

It’s precisely because CloudFlare isn’t responding like other CDNs to reasonable demands to cut off pirate origin sites that this mess exists. If they reacted quickly to remove configurations that are obviously facilitating copyright infringement, Spain wouldn’t resort to full scale ASN blocking.

How do we know it’s CloudFlare? Because other CDNs like CloudFront, Akamai, Fastly, etc. respond to takedown demands and aren’t being blocked. (Those also cost money and require customer identification.)

In an escalating war between the state and a corporation, the state will always prevail if they have the public’s backing. In Spain it’s clear that most people are happy to watch the match through legitimate channels even at the cost of blocking CloudFlare.

FireBeyond 8 hours ago||

> It’s precisely because CloudFlare isn’t responding like other CDNs to reasonable demands to cut off pirate origin sites that this mess exists. If they reacted quickly to remove configurations that are obviously facilitating copyright infringement, Spain wouldn’t resort to full scale ASN blocking.

Apropos of anything else, CF is (reasonably) requiring a court order to remove offending material rather than just "well, company said so, so eh, just do as they say". La Liga complains that "oh, that's too slow for what we want" and just got a blanket ruling.

I am not a fan of CF but your argument seems to be "CF should just roll over any time someone says "hey, delete this", because, obviously, everyone knows it's problematic, right? Right?".

otterley 8 hours ago||

At least the DMCA in the U.S. has guardrails: not just anyone can send a takedown demand for everything. The requester has identify the works and declare under penalty of perjury that they are operating on the behalf of the owner. I imagine the equivalent EU law has similar requirements.

CloudFlare uses legal chicanery to try to subvert the DMCA by claiming that because they’re not the origin server, they’re not subject to takedown demands. So far no court has told them to knock it off. I expect that day will eventually come. Every lawsuit against them to date has ended in a settlement because CloudFlare would rather pay up than get an unfavorable ruling on the books.

CloudFlare has consistently treated loss of DMCA safe harbor protection as a material business risk; it’s been cited in every SEC filing from the 2019 IPO S-1 through the FY2025 10-K.

willdr 4 hours ago|||

Nobody cares about the DMCA guardrails and they are never meaningfully enforced. Case in point, Anthropic DMCAing thousands of repositories that simply mentioned the word "claude".

FireBeyond 5 hours ago|||

> At least the DMCA in the U.S. has guardrails: not just anyone can send a takedown demand for everything. The requester has identify the works and declare under penalty of perjury that they are operating on the behalf of the owner.

You'd think so, but no.

DMCA came into effect 28 years ago. All those decades, all those billions of takedowns, and you don't even need the fingers of one hand to count those who've been hit with perjury for a false takedown request, because the number is ... zero.

otterley 15 minutes ago||

You might misunderstand what the law requires. The person making the complaint (demand) only has to declare under penalty of perjury that they represent the copyright holder. It does not require them, under penalty of perjury, to be correct about the underlying facts.

See 17 U.S.C. 512(c)(3)(A):

"(A) To be effective under this subsection, a notification of claimed infringement must be a written communication provided to the designated agent of a service provider that includes substantially the following: ...

"(vi) A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed."

In other words: someone issuing a notice of infringement relating to a Disney work must declare under penalty of perjury that they represent Disney. They don't have to declare under penalty of perjury that the work is in fact a Disney work, that the use in question is not fair use, etc.

This would explain why you're not seeing what you expect to see.

jbxntuehineoh 11 hours ago|||

cf is failing to comply with Spanish law and as a result is being blocked in Spain

skgsergio 12 hours ago|||

I can agree on how much power on the global traffic they have, but this blocks affect many other CDNs like Fastly, Akamai, CDN77, BunnyCDN, Alibaba...

petcat 13 hours ago|||

Spain is mandating their ISPs block cloudflare to stop people from illegally streaming soccer games. Cloudflare isn't the one doing the blocking.

StrLght 12 hours ago|||

You made a few typos in "LaLiga"

ufocia 12 hours ago||

How so?