Tell HN: Docker pull fails in Spain due to football Cloudflare block
698 points by littlecranky67 15 hours ago
698 points by littlecranky67 15 hours ago
I just spent 1h+ debugging why my locally-hosted gitlab runner would fail to create pipelines. The gitlab job output would just display weird TLS errors when trying to pull a docker images. After debugging gitlab and the runner, I realized after a while I could not even run "docker pull <image>" on my machine as root:
> error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com
First blaming tailscale, dns configuration and all other stuff. Until I just copied that above URL into my browser on my laptop, and received a website banner:
> El acceso a la presente dirección IP ha sido bloqueado en cumplimiento de lo dispuesto en la Sentencia de 18 de diciembre de 2024, dictada por el Juzgado de lo Mercantil nº 6 de Barcelona en el marco del procedimiento ordinario (Materia mercantil art. 249.1.4)-1005/2024-H instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital, S.L.U. https://www.laliga.com/noticias/nota-informativa-en-relacion-con-el-bloqueo-de-ips-durante-las-ultimas-jornadas-de-laliga-ea-sports-vinculadas-a-las-practicas-ilegales-de-cloudflare
For those non-spanish speakers: It means there is football match on, and during that time that specific host is blocked. This is just plain madness. I guess that means my gitlab pipelines will not run when football is on. Thank you, Spain.
Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found". Every response and comment from LaLiga, the football organization responsible for this, has been so far that this is a minor issue that only affects a few bunch of nerds who talk about "docker images" or "github repositories" or "whatever that means". Meanwhile, there are testimonies of smart home devices like anti-theft alarms or automatic doors, that stop working whenever there is a football match, because their backends rely on Cloudflare. Last week, a woman asked for help on social media, as the GPS tracking app she uses to see where her father with dementia is, went offline during a match. It was getting late and he still wasn't back home, and she couldn't locate the tag he was wearing to find him: https://www.infobae.com/america/agencias/2026/04/05/laliga-d... It's hard to say this, because no one should experience an event like this, but as stressful as these are, it's the only way to make the mainstream people care about this censorship. "I cannot pull a docker image" will never be on nightly news, but safety and personal security is a more powerful driver for discourses. > Heh, lucky you, at least you get a message. My ISP just drops traffic to the affected IPs. No ping, no traceroute, just a spinner in the browser until it says "page not found". This is generally how the GFW works in China. Instead of an overbearing nanny like a school or corporation's DNS blocker, you're left with a sense that you're on a version of the Internet that is just intermittently and somewhat mysteriously broken. And indeed, in China, a lot of things that probably aren't fully intended to be blocked are not reliably accessible. Implementation varies, so you get strange routing and peering issues. It feels like an Internet that isn't fully formed, that hasn't finished coming together yet. Nation states and corporations obviously gain some things sometimes by having Internet censorship/blocking frameworks in place. Maybe, sometimes, ordinary people even benefit, too, if it helps shut down illegal and genuinely harmful businesses. But it feels like the whole world is gradually trending towards more and more Internet censorship without realizing that we are un-building a miraculous thing that took enormous effort and cleverness and expense to build. I wish we could think about this not only in terms of freedom (and we absolutely should think about it in terms of freedom), but how we are disintegrating the infrastructure of communication and computing. Your last paragraph: it is sad. But we had successful global networks before the Internet (the PSTN, telegraph) and we'll certainly have global networks after this at some point in human history. Perhaps in the the time between the Internet and what's next, the world will become a bit more mature about a few things. Those predecessor networks weren’t problem free. Many conversations to “interesting” places were monitored. The counter-reaction to this era will include additional communication control. this is teleological thinking. it's not necessarily the case that things get better over time. > But we had successful global networks before the Internet (the PSTN, telegraph) These were ripe with espionage, wiretapping and sabotage. Access to it used to be highly restricted as well, up until the 90s for example you were only allowed to connect government-licensed modems to the German PSTN directly. > These were ripe with espionage, wiretapping and sabotage. Just like today's Internet. BGP spoofing, CALEA, DDoS. > Access to it used to be highly restricted as well ... And this is where the regression or "downfall" is beginning. Access to the Internet (as in ability to send/receive arbitrary data to the wider Internet) is something I bet is going to be increasingly restricted, but most people won't notice because they don't understand the difference between apps and the Internet. I'd be surprised if direct access to the Internet is possible for consumers in the next 10 years. Everything will have to be through approved apps (age assurance is going to be the catalyst) that work over registered tunnels contracted through ISPs, if there isn't an outright blurring or merger between the concepts of phone/CPE, ISP and CDN. Your non-tech layperson will not know any difference whatsoever if all they use are their phone plan, streaming/banking apps and Facebook. Surely this was simply the nature of Deutsche Bundespost / Deutsche Telekom? Like, of course you had to use hardware they had approved to connect to their network. This was the same in many places. The cost of hardware and connection time limited connections, and no one had cryptography except the government and ultra nerds. There was also no way for a normal person to easily and cheaply communicate with 20 million people in realtime. > a version of the Internet that is just intermittently and somewhat mysteriously broken. That's actually just how the Internet is. Nothing to do with the great firewall. All people affected should file a complaint with your ISP and with Oficina de Atención al Usuario de Telecomunicaciones claiming financial loss for arbitrary service censorship. I've been filing complaints since a year ago, told others to do the same too, nothing happens. There been moments I've meant to deploy fixes to issues but I cannot, because some tooling goes offline. I've claimed financial loss, claimed sanity loss and everything in-between, but I'm afraid unless something reaches the European/EU courts, Spain will continue to be in the pocket of the La Liga owners. Straight up fucking censorship with wide collateral being completely accepted in a Western country in 2026, beyond comprehension how this is allowed. Whenever I get a little down over how much power unelected corporations have in my country, I can at least cheer myself up a little by being thankful that something as stupid as football doesn't have enough power here to control whether or not I have internet access. Ignorance is a bliss, agree :) Sometimes we all need to force ourselves into that so we can get a bit more joy. It would if it were bigger business in your country. Try torrenting an MCU movie and see what happens to your ISP account. Someone in Texas torrenting an MCU slop doesn’t disconnect me from half the Internet. If this is done at the DNS level, run your own DNS. If not, use a VPN. Taking this to the courts is a long term solution, but in the short term you want to act on your own to evade censorship and oppression. If anyone who’s capable in Spain set a petition or the relevant steps and put it on HN. I’m pretty sure any Spanish resident in HN would be more than happy to take part even if it means to send a Bizum for the cause. (Sadly as living in Spain for about a year I’m still not in such place to raise this or understand the full steps needed) how do you make claims, here: https://usuariosteleco.digital.gob.es/? Can't find a way of doing it with Cl@ve I've used this: https://usuariosteleco.digital.gob.es/reclamaciones/telefoni... Used my digital certificate (which is installed in the browser), but AFAIK, you can use Cl@ve on that page above too. In the past, I've cited BOE-A-2022-10757 (https://www.boe.es/buscar/act.php?id=BOE-A-2022-10757), done a reclamació for the repeated loss of lawful access on my connection, and a denúncia about a broader overblocking practice affecting access to lawful services. Also, supposedly, we should be able to make claims to CNMC as well, but haven't figured out how. Also of course, been complaining to my ISP every time it happens too. Because the EU as a whole is quite happy to censor and generally wield the same tricks as "non-Western" countries in their desires to combat misinformation (however our EU bureaucrats define it), child abuse materials (see Chat Control that thing is not going to go away), and hatred (oh boy). We've never guaranteed the right to free speech and because we haven't it's a slippery slope all the way back down to the furnaces of autocracy we sprang from. The Spanish president has come out on record saying we don't deserve anonymity on the internet. It would be great if there was a webpage with clear instructions on how to do this, maybe fill out a few questions and get a printable pdf you can mail, or at least telling you how to file an online complaint. Making complaints very low friction will lead to more of those and perhaps more attention to the issue. Snail mail uses up physical space so it might get more attention, it would be hilarious to see news reports of truckloads of complaint mail being dumped in front of the whatever office. > It would be great if there was a webpage with clear instructions on how to do this, maybe fill out a few questions and get a printable pdf you can mail, or at least telling you how to file an online complaint. Making complaints very low friction will lead to more of those and perhaps more attention to the issue. This is a great idea, we definitively should make this happen! If people are curious on collaborating on something, reach out, email in profile (English or Spanish emails welcome!). Sadly, it won't accomplish anything. La Liga seems to have enough political power in the country to bury all of that. Probably bribing everyone involved. Corruption at that level could mean organized crime. Is there a culture of betting through illegal bookies, are they fixing matches, or ¿porque no los dos? No, its worse than that. If you wish, learn about FIFA and how it works. At least the mafia fears the government somewhat...FIFA doesn't. Well, I think when the organized crime is registered as proper businesses and they have the judges on their side even if the law isn't, I think we just call that "for-profit capitalism" nowadays. At this point the protests should be against the matches themselves. But let's be honest: nobody cares anymore. It's ridiculous and wrong what LaLiga does. But it's also a weakeup call to consider ditching cloudflare's centralization. The only reason this happens is because Cloudflare's centralization makes precise censorship impossible. That's bad in this particular case (as it results in over-broad censorship), but good in general, as it makes censorship harder. Without Cloudflare, you can censor whatever you want. If you have the support of an (undemocratic) government on your side, you can even DeDoS them, making sure that information critical of you cannot see the light of day. The companies relying on cloudflare won't be in Spain. If you buy a GPS tracker by a Canadian company, developed in India, manufactured in China, they are unlikely to know, even it they cared, that a single country that accounts for a tiny percentage of their sales breaks fundamental internet infrastructure on the regular "because fútbol y dinero". And when purchasing a product, there's no "bill of materials" telling you about the services it relies on, beyond "internet connection" at best. >fundamental internet infrastructure I'm not saying this situation isn't bullshit, but the bigger problem is that CloudFlare is now "fundamental internet infrastructure". This is precisely the situation that the internet was designed to prevent. Yesterday I got stuck in endless CloudFlare CAPTCHA's, trying to access theretroweb.com. I had to give up. Many such cases. I hate CloudFlare so much, it's unreal. > This is precisely the situation that the internet was designed to prevent Right, but on the other hand, our constitution and laws are supposed to give us the rights to access a internet where the government cannot block entire companies who host websites, because a few bad websites are hosted there. Not to mention all us freelancers, contractors and just in general computing users, who sometimes want to continue working although 90% of the country is watching football, we should be able to do so even if pirates use Cloudflare for shitty stuff. I agree that Cloudflare sucks, people should avoid defaulting to putting Cloudflare in front of absolutely everything they do and I too get stuck at the CAPTCHAs sometimes. But that doesn't remove the fact that Cloudflare, just like every other lawful company, should be allowed to be visited during La Liga matches. I’d love for a way to put all my sites behind Cloudflare only during La Liga matches. It takes very little money to rent massive botnet capacity to perform crippling DDOS attacks. Unfortunately there are only very few CDNs capable of absorbing that kind of attack. I agree with this take (that it’s a wake up call). Makes one question their entire app design and if using Cloudflare is “good enough” for managing CDN, tunnels, etc. for their apps. > there are testimonies of smart home devices like anti-theft alarms or automatic doors, that stop working whenever [...] because their backends rely on Cloudflare. The fault here lies 100% with horribly designed IoT devices that turn into bricks when they lose internet connection. Perhaps its time to put a VPN into all your CI jobs You can't fight political issues with clever technical solutions Yes you can. Fight with clever technical solutions and the politics will follow once the solution becomes common or displays its usefulness. It is in fact the most effective way to fight dumb political issues. In my country (Russia) the politics followed, now the ISPs block the OpenVPN and wireguard packets. And sometimes the white list mode is enabled, so you cannot connect, with your clever custom VPN solution, to a host outside the country You should be able to use things like sshuttle or even tunnel through HTTPS whatever you want, right? As you can control both sides of the tunnel with encryption (comes by default), no MITM-ing unless you are forced to use solutions that install and eavesdrop on your secure traffic too. 1) they do protocol sniffing, and any inconsistency (including statistical) gets you blocked
2) "white list mode" which engaged sometimes (poorly implemented atm), means nothing goes outside of country at all (means 99.9% of everything is broken). They really want to become North Korea soon If they turn off the internet, that gives you more time to meet your neighbors and do "arts and crafts" and read (cook)books. He's getting so old, at some point the horse throws him off It depends on what the political system is trying to do. A VPN won't help against government blanket outages, where the target is complete control of communications, and attempts to circumvent may result in extreme penalty. In this case, where the government policy is to stop unauthorized streaming, and collatoral damage is acceptable, a VPN hosted in a more favorable location is likely to work enough. Afaik, I don't think Spain has the political appetite to block VPNs and such during football matches. You can still fight the political issue with political means, but in the mean time, you can also get work done. > Afaik, I don't think Spain has the political appetite to block VPNs and such during football matches Unfortunately nobody is quite sure what appetite they have, because LaLiga is doing this all on the back of a relatively narrow judicial ruling that hasn't been reviewed in a long time That's actually part of rebellion modus operandi, so totally something realistic. But not within the frame of law and not in the sweet position of someone away from the "I'll die for the just cause" mindset. can you rephrase your idea please. What's realistic, fighting stupid laws or corporations with a VPN? Yes, but not for long. They are always stronger than you, they can switch from blacklisting to whitelisting and your VPN becomes useless. What is this "sweet position" you talk about? Sorry for being unclear. I was trying to refer to an actual rebel position, which is actors which use illegal practices to achieve their goals agaisnt institutions in place. Which might have the cool attitude imagery attached to it, but which is certainly not an easy one in reality. That became a popular refrain at some point but the truth of it varies. In fact many political issues are brought about by technical changes so obviously the reverse must be possible as well. What technical solutions can't change is the underlying social dynamics. Even that is IMO untrue: "technical solutions" have indeed changed society at large quite significantly; eg. "social media" is one very influential example, "smart phone" is another, "internet" itself, etc. Aren't you agreeing with me? None of those things changed the underlying social dynamics that humans exhibit but they nonetheless affected widespread social and political change. They block the whole of Cloudflare R2, I believe the Docker hub is just (heh) a collateral. When the La Liga match starts, everything that's proxied via CF (including zero access reverse tunnels) stops working. There's even a website made for checking if the match is on: https://hayahora.futbol/ You can check if your host is affected: https://hayahora.futbol/#comprobador&domain=docker-images-pr... Why do they do that? Sorry, I don't speak Spanish. The football league would rather not have pirates livestream their ~90 minute games. Pirates would rather not be blocked, so they create a new, disposable website for every game. Any blocking must happen fast. Cloudflare would rather not block websites without a court order specifying the sites to be blocked. The courts would rather not create a special fast lane through the courts, just to resolve a squabble between two huge corporations. > The football league would rather not have pirates livestream their ~90 minute games. Funny enough, I work in IT and I've had to use a VPN to be able to do my job when soccer is on, but my two non-tech-savy family members that do watch soccer using pirate livestreams say that they've never had any issues with blocked streams. I work in IT and have found that the issue impacts my work but not my ability to stream sports from sites of questionable legality. Of course, I don't pirate La Liga matches but that's primarily because I don't give a shit about soccer. But the point is that the measure does more to block legitimate use than illegitimate (in my experience). And next they want to go after VPNs. Wonderful. But you must realize, the alternative to this is that some very wealthy Spanish companies ... lose a small amount of money. Surely you understand now. Go about your business, poor person. They don't even "lose a small amount of money." They simply gain less money than usual for a short period of time. Think of how rough that is for them. Arguably they even gain more money in the long run, because more people have access to their entertainment and they have more opportunities to form life long connections with consumers. I think it's even that they "gain less money than they could if everyone watching illegally would pay for it when they could not watch illegally" (that's usually how companies crying "piracy" calculate "losses" — "let's assume everyone watching illegally would certainly still watch it and pay the full price"). I once remember reading an article about shareholders selling off a stock because the rate of increase in profit had slowed. In all fairness, the Spanish economy is a mine, a farm and a soccer league in a trenchcoat. Better than Ireland which is 2 tax shelters in a trenchcoat, but not by much. Not surprisingly, they are the 2 most left leaning countries in Europe. To be fair, they had an actual fascist government in Spain for several decades and there were atrocities committed. Ireland, the country with 2 center right parties that differ with regards to patronage networks and political history from 1940, is one of the most left-wing leaning countries in Europe? > Cloudflare would rather not block websites without a court order specifying the sites to be blocked. why would they? > squabble between two huge corporations I think this is just LaLiga using it's cultural and economical power, don't think Cloudflare or the courts should be making exceptions just so they can control how people watch football > why would they? Well, in this case, the alternative is all of Spain intermittently blocking lots of Cloudflare. But if Cloudflare bows to Spain in this case, every jurisdiction will want to pile up lots of special case rules for Cloudflare to try and implement. LaLiga isn't Cloudflare's customer. They have no relationship. So why would Cloudflare rework their infrastructure just to instrument rapid blocking at their own expense as a favor to LaLiga? And if they don't, ISPs just break the Internet for each soccer match? This is a kind of coercion that makes no sense. Cloudflare has no obligation like this to LaLiga (and neither would a Spanish domestic CDN!). The reason why entities comply with the wishes of courts is because there's consequences if they don't. Consequences like being filtered. Cloudflare has not in fact refused to comply with any court orders! The very thing at issue is that LaLiga wants Cloudflare to do censorship on their behalf that Cloudflare, who has no contractual relationship with LaLiga, is not required to do by any legal framework in Spain or the US. Cloudflare literally wasn't even a party to the ruling by which LaLiga has been compelling Spanish ISPs to do the IP-level blocking. They're just an affected third-party because the blocking scheme the courts have allowed LaLiga to impose on ISPs is on a per-IP basis. Spain hasn't asked Cloudflare to do anything. Only LaLiga has acted like Cloudflare owes them a huge, expensive rework of their CDN's architecture for the purpose of censoring things for LaLiga purely as a favor to LaLiga. What LaLiga had over Cloudflare isn't a court order. It's a protection racket, or maybe a hostage situation, where court orders involving other parties are the gun held to the hostage's head. >why would they? Plenty of companies proactively take action against shady users, even if not 100% required under law. Youtube has content id, social media companies have "community guidelines", and ISPs have AUPs. The US is captured by the Israeli lobby. Spain is captured by the football lobby. So what, do they just block a range of IP addresses and are then done with it? technically, LaLiga themselves doesn't even do the blocking. They have a court order from some years ago that allows them to compel all the individual ISPs to block any IP addresses they specify, with no oversight or review This must negatively impact a huge number of businesses. Is there no move for them to all get together to take legal action against LaLiga to stop them doing this? This is the country that takes a 2 hour nap every day. They also have a sleeping contest every year with a winner and everything. And Spain isn't hot like Mexico where folks take 2 hours off in the topically heat and make it up for it in the evening because that's more efficient. Here's a good English-language article about it, with a timeline: https://daniel.es/blog/cloudflare-vs-la-liga/ Looks like same old regulatory capture. Also, a classic tweet from the Cloudflare CEO re their fight with Italians authorities re censorship: https://xcancel.com/eastdakota/status/2009654937303896492 Everyone looks bad in this conflict. How does this make Matthew look bad? Matt acting like he's a free speech absolutist. Hilarious. Because LaLiga and football in general is what is governing Spain really. The website has a language selector on the right just below the initial screen, just FYI. Ah man, that shader in the background is like a rite of passage for people including a shader on their website. Ah the irony, I'm blocked from viewing that page by Cloudflare Performing security verification This website uses a security service to protect against malicious bots. This page is displayed while the website verifies you are not a bot.
Incompatible browser extension or network configuration This is a great example of why blanket IP blocking is such a terrible enforcement mechanism. Cloudflare hosts hundreds of thousands of services behind shared IP ranges — blocking one IP to stop a piracy stream
takes out everything else on that IP, including Docker registries, API endpoints, and CDNs that have nothing to do with football. > This is a great example of why blanket IP blocking is such a terrible enforcement mechanism AFAIK, they're not doing "blanket IP blocking", they're intercepting requests based on DNS and IP, and try to serve their own certificates and their own content. Obviously, in most cases it fails, as the certificate doesn't match the site, so the browser rejects it, but as far as I can see and tell, there is no "blanket IP blocks", more like "DNS and IP interception". The difference doesn't really matter in practice, sucks regardless, but I thought I'd clarify for the ones who are not experiencing these blocks themselves at least. just wait until they block Azure as well so the official La Liga site also stops working Dumb question but why don’t the pirate sites all host on Azure if Cloudflare is blocked and Azure isn’t? i have no data to back this up but in the past cloudflare was much more lax with piracy sites and I can imagine that Azure is stricter with blocking them I would imagine they do. The people running the pirate sites know what they are doing. Noone who really wants to stream pirated games is stopped. Blocking CF is performative, not effective. I wondered how they actually managed to have their own business to be unencumbered by that. At a certain corporate level, you have to have some piece of tech in your portfolio that relies on cloudflare. I hope one day there companion or "2nd screen" apps stops working during a game, because using cloudflare. Hmmm. Don't they have a reporting form or something like that? Down with those filthy Azure pirates on IP 52.166.113.188. Starting a new business I see...this actually seems like the best form of protest here so good luck to you. Barring an Internet giant suing them in court, it really feels like this is unlikely to change as most just don’t understand the why or the effect. Someone needs to write a heist movie set in Spain where a key part of the plan is they steal something while La Liga is blocking some key security route. This is far from the first time that I see on HN indignation on LaLiga blockings. Sadly all this rage does not seem to lead to any change. I'd like to suggest some steps that might/should be followed, which I will not pursue personally but in my defense - I do not live in Spain and not affected. 1) (first! low-effort) Somebody should create any space on the internet, where such anecdotes might shared and probably people with common goals of fixing internet access in Spain will meet. E.g. telegram group, discord channel, subreddit... 2) probably create wiki with related research: legal framework and possible actions etc 3) Raise public awareness. Create a resource/website with schedule of past and future "semi-blackouts", simple explanation of possible effects a layman may notice etc 4) Explore legal actions that might be taken. How this issue might be forced to be discussed by politicians? For instance I know that Portugal has official mechanism to put forward petitions, that will be discussed in parliament if get enough votes [1] Space of possible demands in such petitions is vast. For instance: - Make LaLiga compensate partly price of internet access - Force LaLiga to include education notice in the beginning and the of translation with title like "Start of reduced internet connectivity" / "End of reduced internet connectivity" This is the moral equivalent of shutting the water off for a whole city because one dude's house has a leak. The harms to society clearly and obviously outweigh any possible benefits to society. But if that one dude has the power to shut it all off, and doesn't care... If you think that's even remotely close to the worst the Spanish government has done, don't look up "Catalunya". https://int.assemblea.cat/civil-and-human-rights-abuses/tool... Just so everyone here has the full picture: the source linked — Assemblea Nacional Catalana — is not a human rights watchdog, an international observer, or a journalistic outlet. It is the main pro-independence criminal activist organization in Catalonia. Citing them as evidence of Spanish human rights abuses is a bit like citing the murderer's wife as an impartial witness. For context, Spain is a full constitutional democracy, subject to the jurisdiction of the European Court of Human Rights, with a free(ish) press, independent judiciary, and regular elections — none of which Assemblea itself disputes, because it participates in all of them. The events OP is referencing (the 2017 independence referendum aftermath) were reviewed by European courts, and the outcomes were, shall we say, not quite the narrative Assemblea sells on its website. If there are genuine, documented human rights concerns, I'd welcome impartial sources from the Supreme Court or the ECHR. What I'd push back on is treating a political lobby's own press releases as neutral reporting. You should do better than that here, OP. As a Spaniard, I would be very happy it cloudflare stops serving Spain. The situation is beyond stupid and I know without international pressure and shaming we're not getting rid of this abuse. They should at least do a single "awareness day" during which they block the same IPs and sites they are ordered by court, as if there was a football match on. Ideally with a 7 days public notice announcement. Probably won't happen though, as their contractual obligation won't allow for voluntary suspension of services. As a Spaniard I couldn't agree more. This situation is just absolutely ridiculous. As a Spaniard, this also happens to me. You can either use a VPN or just switch DNS servers to one that doesn’t have anycast nodes in Spain. Cloudflare’s authoritative DNS uses EDNS Client Subnet (ECS) to return different IP pools based on where the query originates. Spanish resolvers get IPs from a range that La Liga blocks. If your recursive resolver is physically outside Spain (or you use DoH/DoT to tunnel to one), Cloudflare returns a different, unblocked pool. AdGuard DNS works well for this. Hah. I have had to use a US-based VPN to access GitHub pretty much every weekend lately. La Liga's efforts to curb pirate TV streams are basically undermining the internet itself at this point. This is also not new behaviour - Theo posted a YouTube about it nearly a year ago[1]. This is why technology businesses and professionals need to take a little bit of an active role in local politics. Otherwise you get nonsense. We also need more tech-savvy politicians in office. There are a lot of politicians who are expected to legislate on important technology issues that barely know how to use a cellphone. That's an interesting euphenism for 'spend a massive amount of money on ~~corruption~~ lobbying', not necesarilly, any government will make decisions, if there's no one to speak up and inform them why the decision is stupid, like the one from LaLiga, then we end up in this situation This is incredibly naive. ok, then what do you suggest? we don't get involved and decisions at the government level are made for us? I might be naive, but let's not be restrained by the cynicism of any involment in politics and governance is corruption What? This is how governance and public opinion happen, at least in Spain. Government does something bad? Everyone out on the streets to complain, and calling politicians to change their mind. Sometimes it works, sometimes it does not, but doing nothing is never an option if you disagree with what they're doing. To think that doing nothing is better than something, that's incredibly naive. Doing nothing can't be better, but it's entirely possible that doing nothing has exactly the equal effect as doing something. > but it's entirely possible You're right, it possibly has the same effect. How could we figure out what's the actual answer in practice? This behavior of blocking some domains and IP ranges during LaLiga games has become a routine by now. You might also want to check these similar submissions: My game's server is blocked in Spain whenever there's a football match on: https://news.ycombinator.com/item?id=45358433 Spain’s LaLiga has blocked access to freedom.gov: https://news.ycombinator.com/item?id=47114235 Maybe it’s time to reflect upon the reliance on centralized services?
Not long ago docker hub started rate limiting access and we all turned to blanket solutions like the GitLab registry cache.
I wonder if the IPFS distributed docker registry thing still exists/works. This isn't really about centralization. ISPs are blocking at the IP level, not Docker Hub specifically. You could self-host a registry behind Cloudflare and still run into the same thing. This is inexcusable. Just because sports right holders are worried about piracy doesn’t give them license to break normal internet operations. Spain, get your act together and put your equivalent of the content cartel in the penalty box. [Meta comment] Humankind is not doing well with implementing new policies. We should really strive for each new policy (like in this case - blocking access to some parts of internet during soccer games): - Consider running policy in small scale scenario (e.g. testing blocking in small parts of Spain before whole country rollout) - Implement channels to gather info from those who are faced with results of policy implementation (in this case: the op got webpage with description why the page is blocked - a bit of sanity! It would be better if it was served with HTTP code 451) - Policy instructions - When deciding on policy put a date at which policy should be reconsidered and revised using data collected during the time when it was in effect - ... and some more I have not thought about. Let's strive to cultivate this principles in all life areas where we can affect how new policies are implemented. (edit: linebreaks) This is exactly why random corporations need to be gone from government. Or copyright needs to be abolished, one of the two. No corporation (no matter how beloved) should ever have this kind of power. IMO the more powerful an organization becomes, the deeper the scrutiny should be. Here in Brazil sometimes my ISP goes into a weird state where I can't SSH into a remote machune. Got two ISP links here and still sometimes I need to resort to Mullvad to get stable internet I'm in Spain as well and it sucks a lot. What I do now is I go thorough Cloudflare 1.1.1.1 VPN (set up on my router). Fixes the issue and there is practically no latency or bandwidth impact. You mean 1.1.1.1. DNS? Or do they also serve a VPN through that IP? It's probably just DNS (port 53). It's the way Europeans tend to implement their censorship, with the ISPs as executors. It's trivial to bypass, but most non-technical users don't know how, so it's good enough to comply. How is this cloudflares problem? This is on LaLiga. It might not be Cloudflare's fault, but it is their problem. If their customers can't use their products sporadically, it doesn't really matter why. Cloudflare taking a principled approach hurts their users in the short term, so they have to make a business trade-off between pragmatism and principle. Currently they're choosing principle, so it's reasonable to be angry at them for the short term issues that causes. > instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital, (The trial was initiated by LaLiga and Telefonica...). "Telefonica" is the (exclusive) distributor for the rights of streaming the matches, and is only (of course?) the main consumer (and business) Telco in Spain: they are in a game they cannot lose. This is such an abuse and no government (this, past, whichever) has done anything about it. It is also educational to look up the overlap between Telefonica directors, LaLiga directors, and the government officials who granted the defacto monopoly What's the current state of the art for VPN'ing through deep packet inspection firewalls? I have imagined building something around TLS and Websockets that connects to a popular cloud provider which is "too big to block". Of course, if they'll block Cloudflare, or all connections outside of the country, maybe _nothing_ is too big to block. I remember some solutions to this in the 2010s, like obfsproxy and shadowsocks, but are there any newer or better options? I don't even like televised sport but this makes me want to figure out how to pirate it at scale I had to Google why this happens, blocking cloudflare during football games seems.. Arbitrary, to say the least. Maybe something to do with hooligans trashing entire cities when their team loses? I could almost get behind that, if I thought it would work.. But no, it's apparently to stop piracy!? Turning off half the internet, and mostly the legitimate parts at that (since when do pirates use cloudflare?) seems like probably the worst method to go about it. Someone ought to start streaming those games illegally without using cloudflare just to demonstrate how stupid this policy is > Someone ought to start streaming those games illegally without using cloudflare just to demonstrate how stupid this policy is Oh, the icing on the cake is that they already do. While my whole dev stack gets shut off every weekend, my neighbour watches pirate futbol streams just fine - not only is it a stupid policy, it's an ineffective one, and the pirates bypassed the bans ages ago Makes you wonder why they keep the ban up? Are more people watching more football now that everything else stops working during matches? Talk about unfair business practices! Pirates use cloudflare because it solves their biggest problem, DOS attacks. Rights owners figured out that they can shut down these sites by DDOSing them which bypasses the courts and can be done instantly, so the pirates put their sites behind cloudflare ddos protection. This is a know issue and it is completely fucked up:
https://www.techradar.com/vpn/vpn-privacy-security/cloudflar... What Spain does is basically censorship and it's very poorly executed. The docker image registry is only one out of the many collateral victims of this stupid law. > What Spain does is basically censorship and it's very poorly executed Basically? It is censorship, with huge collateral damage and regardless of how much we complain or share evidence that the blocks are actually financially harming us, no one seems to care as long as La Liga gets to freely block whatever hoster of websites as they wish. It's just like the Great Firewall of China, except in service of football profits instead of political ideology. I don't know which one is dumber and more disgraceful. I wouldn't say "instead of", just "also", these "football blocks" are not the first cases of censorship of the internet in Spain. womenonweb.org for example was inaccessible for years, just unblocked some years ago. During the latest Catalan independence referendum, the Spanish government blocked a bunch of websites, not the very least the official website of the referendum itself. This is just one of the most recent cases, and so far the one with widest regular impact. POSSIBLE FIX: I think changing your default DNS servers to Google 8.8.8.8 or Cloudflare 1.1.1.1
might bypass the spanish sunday ban on Cloudlflare. macOS + Cloudlfare 1.1.1.1
https://developers.cloudflare.com/1.1.1.1/setup/macos/ Google 8.8.8.8
https://developers.google.com/speed/public-dns/docs/using I don’t think it’s a DNS ban, it looks like they actually ban connections to the IP range. But you can just use a VPN. Just to confirm it is true. This is LaLiga bringing down essential country-wide infrastructure on soccer hours if your internet access is through main ISPs. Why are you working instead of watching the match? That's what crossed my mind too: It's like a nationally-mandated break to watch football. Ah, so that's why my site is "down" there: https://hayahora.futbol/#sobre-los-bloqueos&domain=taoofmac.... They're blocking the CDN too, not just R2. LOL this is so hilarious, blocking a portion of a web infra for a football match It is somewhat funny until you realize the amount of power some copyright mafia knuckleheads have over the (local) internet. It isn't even an authoritative regime censoring something, but much more silly. Interesting alternative. Cloudflare (market cap $58B) buys La liga (market value $5 billion), drops suit. Real Madrid alone is more than $5B ? Maybe you mean to say league association is worth 5B ? That seems too high the association does not have lot of margins they pass through most of their revenue to the clubs . The last domestic TV deal they signed recently was worth $6B for 5 seasons or so, which is what you are proposing they buy. In enterprise value terms that $1B/year growing 6 %YoY is worth a lot more than $5B. In contrast Cloudflare has a $2.5B revenue albeit growing much faster but also has much smaller earnings or free cash flow, I.e. money they are not spending to make their current revenue. Here are RMs financials...https://www.realmadrid.com/en-US/news/club/latest-news/notic... They make about $25m a year in profit. Cloudflair actually looses a small amount of money on 2.5x the revenue. However, Cloudflairs market cap is about 100x that of RM's and that's because they have a growing business, in a growing industry and can easily become profitable when needed. That's probably not possible for RM and their very pricey lineup of players. It is not the comparison to make, which is why I focused on the league’s tv revenue which is what is relevant , i only bought up Madrid’s valuation to ask where is Laliga ‘s $5B coming from. Real Madrid owns the Bernabeu a valuable piece of real estate in the heart of Madrid and many other assets the Real Madrid brand is very monetizable . Sports team have been consistently growing businesses in every major sport in both Europe and US. Comparing a sports team and SaaS company is hardly going to be apples to apples with different asset , revenue, brand and monopoly and strategic profiles. —— The risk to the league due to piracy is the value of the television deal. The buyer paying $1B/yr (DAZN) is the reason for this enforcement. If Cloudflare wants to buy this problem away that is what they need — The $1B deal growing 5-6% YoY and get into the streaming business . Prime alone is expected to spend $4B on live sports rights this year. It is very expensive space with everyone from Apple to Google and Netflix to sovereign funds going deeper every year . The streaming revenues otherwise aren’t expected to be massively grow so this is the content play that is least risk - compared to investing in say 4-5 blockbuster movies or tv series this is far more predictable and consistent revenue stream. I'm not sure where that number comes from but I don't think it's right, and I don't think that's how La Liga is structured anyway. It's governed by an association of all of the teams in the top two flights of spanish football. Right. The number is the result of Claude adding up the public information about the aggregate value of all those clubs plus the association. So it would mean buying all the clubs; or at least enough to have a controlling interest in the association. Clearly there are big challenges to that (e.g. clubs not being for sale for one). But I thought it was an interesting thought experiment. Of course if you're just trying to play the money = power card then it'd probably be cheaper to purchase the influence of some government officials. Set an example. Buy them, fire everyone, shut it down and liquidate the property. It's a disgrace, but apparently all relevant forces still consider soccer the most important thing in the country. Time to use a VPN in your docker pipelines ;) Or run your systems outside of Spain. Or can this be avoided by using an alternate DNS? They are planning to also block VPN providers during football matches, see https://www.techradar.com/vpn/vpn-privacy-security/la-liga-w... They are not "planning" to block VPNs. A technologically illiterate judge has ordered it, but there are no plans nor mechanisms to enforce it. The exact same stupid mechanism they are already using. Forcing ISPs to blackhole whole subnets if they belong to the VPN provider ASN(s). If they can block IPs of cloudflare what extra mechanisms would be needed to block VPN IPs? The only viable way to even get most of them is to shut down internet access entirely. It's not a realistic solution, unlike blocking a few well known IP ranges belonging to a large corp like Cloudflare. And even if you managed to get them all beforehand, some VPN providers will adapt and keep some servers in reserve, putting them online just as you managed to block the previous ones. Getting around internet censorship is a large chunk of their business, and some are really good at it. You don’t really need to block all, you just need to annoy the users enough that paying is easier. And I think there are enough games to use up the IP reserve pretty quickly and getting new ones every time is pretty annoying. I can provision a new VPS in about 5s of active work. I'd probably fully automate spinning up new servers and failing over because automatically detecting which got blocked is trivial. Bonus points if you use providers that let you attach multiple IPs to each VPS for cheap. Use some censorship resistant decentralized protocols to provide the next couple IPs to your client software and you're good. And then they still need to monitor hundreds of VPN providers for whether they have new IPs, which is not neccssarily as easy as just grabbing a list of them. Once they have some, they then need to forward them to the ISPs and ask for them to be blocked. Their process is significantly less friendly to automation. No country ever won this fight short of total shutdown/disconnects. It's a game. The VPN marketplace is huge so it's wack-a-mole. Big companies don't hide their VPN ASNs. Obscure, for sure, but getting a good list isn't hard. Usually they get blocked. Smaller companies may pass under the radar, and have higher tolerance for risky strategies. The fringe providers are the problem. They aggressively change IP ranges, front-vs-obscure ownership, and play dirty. Shady folks will resell residential ranges. End-users often get tainted goods. ... and you still have the collateral damage game when VPNs host infra with big cloud providers vs colofarms vs self-host, etc. When talking about VPNs, it doesn't have to mean "third party VPN". You can host your own on any VPN service outside of Spain. Yes, but that's not something many can do easily. Also already having to use a VPN is not the "right" solution. The right so solution is to beat some sense inside some politician's head, and force them to write and approve laws that don't let stupid (or conniving) judges pass orders like this one we are talking about. I agree it is not the right solution. But anyone who is pulling docker images in a sunday afternoon while the rest of the country is glued to their screen to watch a football game or enjoying a sunny sunday outside having beers and tapas and what not should be capable of setting up wireguard. Given the context of the HN audience, it's probably something you can do. "A _Sanish_ Court has ordered NordVPN and Proton VPN to block IPs transmitting illegal football streams" [emphasis added], that is inspain. Alternate DNS doesn't help, they block at IP level. Yes, they block IPs belonging to CDNs (CF including R2, BunnyCDN, CDN77, Fastly, Alibaba, Akamai even)... It is not a DNS based block, but on the IP level. Once I knew what caused the issue, I figured I use one of my Hetzner vServers as an exit node in tailscale. But come on, this can't be true. I wonder how many other people in IT wasted hours on issues and tickets to find out it is due to a football match taking place. Admittedly, chances are low, as football matches are usually outside of office hours. I found out about this a month ago when a confused Spanish user showed me all downloads on https://apkmirror.com (powered by Cloudflare R2) are blocked in Spain during LaLiga soccer matches https://x.com/i/status/2030361569691898237. It was so idiotic, I couldn't believe it. Glad it's getting more attention now. Going to play devil's advocate here but I suspect if Cloudflare had been more cooperative about taking down illegal content, LaLiga would not have resorted to blanket blocking individual IPs. I would really like to understand more about the process that they should follow but didn't / followed but didn't satisfy them / doesn't exist, in order to remove infringing websites quickly from CloudFlare. I work with actually malicious content (things that make people lose their life savings) and Cloudflare abuse is relatively helpful (compared to most ISPs who just don't care). They just refuse to take down random things that some media company representatives send their way, without a court order or any oversight. And this is a good thing. LaLiga wanted the right to tell Cloudflare to block specific sites without going through a court. Cloudflare, rightfully, said that was ridiculous and unreasonable. A Spanish court, wrongfully, decided to let LaLiga block all of Cloudflare. Off topic but I wonder when Cloudflare is going to launch their own Docker registry as a product. It's pretty easy to write your own. I made this one a while ago: https://github.com/chainguard-dev/crow-registry I've seen it but it's buggy and lacking in features. Feels like an afterthought instead of a real product Well, Cloudflare does not launch anything. They acquire to build products. Look into all their recent product launches. They acquired a relatively small company and converted the founding team to a product team. So, if you want them to build stuff, ask yourself, are there any "Docker Registry" startups out there. If jsdelivr/globalping is not keeping you busy enough... there is an idea Yes, actually, there are. I've built https://clipper.dev. I'm somewhat focused on robotics/edge device use cases right now (handling large images in bandwidth constrained environments), but my storage costs are also 1/7th of DockerHub. It also enables device to device content sharing much easier than base Docker, will be much easier to do antivirus/vuln scans, some other side benefits. If there's something you'd want out of a registry that you think the market would want, I'm all ears. Honestly I would build it if I knew how to properly market it to quickly get users. Globalping and jsDelivr took years to gain a meaningful user base I do not think that is the issue. The recent acquisitions from all these big tech companies did not have any "meaningful" user base to begin with. I think your name alone carries significant weight in the industry and you have built a very large community. If you even vibe code something with, you will get a stupid amount of money thrown at you and a contract that bounds your existing projects and the next 3-5 years to a particular company as project lead. Here is a list of acquisitions Cloudflare made recently: https://blog.cloudflare.com/tag/acquisitions/ Most of these companies did not have a half dozen paying customer or even a fully fleshed-out product before they were acquired. What would you build that would make it different/better than the existing registries out there? Welcome to the club, buddies! Here, in Russia, the government doesn't care about collateral damage at all when shutting down whole Internet in cities. They turn on white list mode, when only approved sites and IPs work. Businesses stop working and start losing money? They don't care. Important IT systems stop working? They don't care. People can't communicate with each other? Don't care.
And seems like it will happen everywhere else. Sad to see the whole world goes down apart. I think perhaps there's a difference in expectations between wartime versus a country at peace going after pirates. I wanted to say that Internet freedom dismantlement is a global trend. Fair enough, I completely agree. However in the case of Russia specifically, I understand that at one point Ukrainian drones were making routine use of mobile internet within the county. Temporary internet whitelists seem like a reasonable alternative to complete blackouts in that scenario. There are plenty of historic examples of malware using just about any communication platform for the C&C transport. CF could just sue LaLiga and the judge as interrupting and intercepting telecomms it's a really serious crime in Spain. Call the AEPD too because of consumers' right against both ISP and LaLiga's snooping. Another huge fine. This is not an issue under the civil code (civilian issues), but something to be dealt under penal (criminal) code. In Spanish https://www.fiscal.es/memorias/memoria2020/FISCALIA_SITE/rec... Oh, and BTW, LaLiga has just partnered with a CF rival. Now CF can just sue both like hell because of unfair competition: https://nitter.tiekoetter.com/xataka/status/2042658662850724... Looks like they already tried to appeal the block, and lost: They could potentially file the suit against Spain in European Court of Human Rights if they have exhausted national remedies. ECtHR has previously ruled some blocks to be illegal, but generally in the context where country sought the ban. Of course in both cases Court is the one that actually orders the ban. One relevant would be Yildirim v. Turkey where court ordered blocking access to all Google sites because there was one that where someone insulted the memory of Atatürk. This was due to request from Telecommunications Directorate. This then caused the appellant's website to get blocked as well. Another one would be Vladimir Kharitonov v. Russia. Yea, La Liga it's crapping out as always.
Docker needs either some I2P gateway, or a Tor service. Cloudflare could resolve this without negatively impacting fundamental services... just place all newly registered sites (e.g. <30 days) on a dedicated block of IP addresses. That way, Spain's government-ordered censorship could be limited to (mostly) pirate sites. Or they could invest money in vetting customers properly. But of course, Cloudflare rather prefers to hold their actual large customers (who don't have much of an alternative to CF) and everyday Spaniard users hostage. What would prevent a pirate site operator from registering a domain a few months in advance and sitting on it in the meantime? How do you propose customers ought to be vetted? Why should a host be expected to take on the duties of a hall monitor? Isn't that the judiciary's job? I think it is actually Spain using their residents as hostages in an attempt to extort Cloudflare and other large providers. The current situation is best described as blatantly corrupt regulatory capture. > What would prevent a pirate site operator from registering a domain a few months in advance and sitting on it in the meantime? It's driving up the cost and expenses. Operators of legitimate sites don't have to worry during that probation time about anything with the exception of customers in Spain during LL match hours. LL has ~10 matches / weekend (Fri/Sat/Sun/Mon), that means pirates have to have about 40 domains/CF integrations per month plus more in standby - and more, for longer probation periods. > How do you propose customers ought to be vetted? I dunno... stuff like basic KYC measures would be a good start. Copies of ID cards. Government business licenses. Private entities (credit bureaus). Even phone number verification is a serious hurdle for malicious actors, and it ties activities to real world identities that can be held accountable. Dangerous stuff (e.g. streaming) could only be made available upon a security deposit. > Why should a host be expected to take on the duties of a hall monitor? Isn't that the judiciary's job? No, and that we let ISPs get away with ignoring abuse@ emails is part of why the Internet is such a nasty place these days. You need a license to drive a car on public roads, you need an expensive license to fly a small plane, and you need a goddamn massively expensive license to fly a widebody aircraft. So why shouldn't you need to pass some set of verification before you get access to inarguably the Internet's most powerful data pipes? > It's driving up the cost and expenses. That's an interesting point. Are their margins so slim that they can't afford less than ~$50 per domain? I'm not familiar with their revenue model. This is the sort of thing that could be done via the legislature if Spain were serious and playing by the rules. They could require ISPs to do DNS filtering based on domain age during matches. If they really wanted to do service level filtering they could require hosts such as CF to perform geoblocking in a similar manner during matches. > Dangerous stuff (e.g. streaming) could only be made available upon a security deposit. Let's set aside for a moment that I think this suggestion is completely absurd. Are these sites using some prepackaged streaming solution? Do you not realize that I can stream video from any machine using software I control? To an approximation the only thing required to scale streaming up to lots of customers is raw bandwidth. If you don't accommodate seeking you can potentially serve thousands of simultaneous streams with a single cheap VPS (in practice this won't work because a cheap VPS won't have a 100 Gbit pipe). > So why shouldn't you need to pass some set of verification Since when have you needed a license or verification to publish? You're acting as though a global impressum requirement is the natural state of affairs. Your demand is an affront to free society. > we let ISPs get away with ignoring abuse@ emails That seems like an entirely separate matter, if it's even true at all. > No Ah yes, a rousing argument. Obviously you must be correct. You've failed to make a convincing case as to why deciding what is and isn't permissible isn't the job of the judiciary. If Spain wants to change that then they need to pass laws to that effect but in practice those won't have global reach. Thus they might (for example) engage in international lobbying efforts to incorporate a DMCA equivalent for illegal streaming into the global copyright regime. Failing the above it is Spain that is in the wrong here and I'm happy to see that CF isn't going along with their overbearing and entirely unreasonable nonsense. The last sentence of this submission makes no sense. You are in Spain. Allegedly, the country has a representative government. That means that you should have a way to influence the government to fix this idiocy. If, in fact, you don’t, then it is not a representative government and …ahem… further steps may be warranted to remind the government whom they work for. Spain is a failing country. Their economy is in shambles and the government has ceded internet control to a private corporation who runs football games. >Their economy is in shambles But it's among the fastest growing in the EU? Granted, part of this is starting from a low base, but it's hardly "in shambles" https://data.worldbank.org/indicator/NY.GDP.PCAP.KD.ZG?locat... They are doing this by artificially inflating the numbers, destroying the country forever: https://i.imgur.com/0MAeFaF.jpg >total population change in EU countries The figures I cited are for GDP per capita, which accounts for population growth. Moreover immigration should have the opposite effect of depressing per-capita GDP, because immigrants typically take lower skilled jobs, dragging overall productivity down. So if anything, the figures are artificially depressed, not inflated. You should read down that table a bit. Sure the Spanish economy had higher growth rates the last couple of years. The way they managed to have a higher rate was to have the economy shrink by 8% in 2023. So according to my math, the estimated size of the Spanish economy in 2026 is about the same as the 2023 Spanish economy (within 1%). Hard to claim that as a win. Technically you can say that they have been in a depression for the last 4 years and counting as their functional growth rate (accounting for inflation of the Euro) is negative over that period (down about 10% inflation adjusted). > So according to my math, the estimated size of the Spanish economy in 2026 is about the same as the 2023 Spanish economy (within 1%). Hard to claim that as a win. That conclusion does not seem to check out just by eyeballing the charts. https://data.worldbank.org/indicator/NY.GDP.PCAP.KD?location... It shows a divergence from the EU back in the 2010s, but afterwards is recovering at the same pace or even faster than the EU. Could be better, but not "in shambles" either. Spain isn't a perfect country, I don't think any is. But the economy isn't in shambles, only someone who doesn't know what they're talking about would say anything like that. It does suck that La Liga can wield so much power, agree, but this is not related to the economy at all... Sorry, but this isn't true. The Spanish economy shrank by 8% in 2023. So all those gains in the last couple of years are just catching up to 2023 and not actual growth. Add in inflation and the average Spaniard has lost 10% of their income over that period (2023-now). The median citizen losing 10% of their income in real economic terms does qualify for the vaunted "shambles" title. Are you spanish and never went to another country? I only heard such things from never-stop complaining locals that never traveled anywhere. Yeah La Liga is a religion here, but Spain is one of the worlds top of life quality mate To note that this isn't the executive or legislative but the judiciary doing the bidding. [flagged] It's not just docker and tech. Plenty of people depend on tools that use Cloudflare. And when you are on your deathbed you will say “I wish I had spent more time on Cloudflare-based products”? I doubt it. No peer-reviewed research has shown people say that. Telling someone what to do is even more American, let people do whatever they want, at the times they want, as long as they don't hurt others, this is the Spanish way. Touché. Or should I say “me has tocado señor”. Probably not but it would be funny. Cloudflare is cancer. And the tumor is now too big. You've got it backwards. Spain's ISPs are blocking Cloudflare and other CDNs because of LaLiga/football piracy. CloudFlare isn't doing anything here. You are correct, but Cloudflare is still a cancer on the Internet. Rampant bot traffic and scrapers are the real cancer. Until that goes away everyone is going to need cloudflare or some other bot firewall service. Perhaps that is true, but the Cloudflare anti-bot protection is too stupid and annoying. They should have used a cookie or something else that does not require asking me every few minutes to prove once more that I am not a bot. There was a time when Cloudflare had become less intrusive, but for the last months it has begun again to intervene almost each time when opening some pages. There is no doubt that anti-bot protection can be implemented in a better way than Cloudflare does, but presumably the alternatives would consume more resources on their servers, so probably they choose whatever minimizes their costs, regardless if that ensures maximum discomfort for Internet users. You're getting frequent verification requests because you're behaving like a bot. Are you modifying your user agent string or using a VPN? Who knows what upsets ClownFlare? I'm using Vivaldi on Linux on IPv6 in Denmark with every uBlock filter enabled and Cookie Auto-delete. That seems to confuse and anger CloudFlare and I get CAPTCHA tarpitted constantly. > They should have used a cookie or something else that does not require asking me every few minutes to prove once more that I am not a bot. > every uBlock filter enabled and Cookie Auto-delete Hmm So you know why. No, it could be any, or other, totally normal and reasonable factors. Or maybe I posted too much Cloudflare hate on HN and they singled me out. They're in the walls! Those are easy enough to dissuade with readily available PoW solutions. People use CF & co. out of convenience, the exact same reason that most websites load resources from at least half a dozen third parties instead of self hosting. It won’t. Some people are perfectly happy to destroy and destroy as long as they get some small portion as profit for themselves. That, ironically, includes Cloudflare. Without rampant bots making the internet worse for everybody, they wouldn't have as much work. And their portion of profit is anything but small. I know this is an unpopular opinion among freedom maximalists, but: It’s precisely because CloudFlare isn’t responding like other CDNs to reasonable demands to cut off pirate origin sites that this mess exists. If they reacted quickly to remove configurations that are obviously facilitating copyright infringement, Spain wouldn’t resort to full scale ASN blocking. How do we know it’s CloudFlare? Because other CDNs like CloudFront, Akamai, Fastly, etc. respond to takedown demands and aren’t being blocked. (Those also cost money and require customer identification.) In an escalating war between the state and a corporation, the state will always prevail if they have the public’s backing. In Spain it’s clear that most people are happy to watch the match through legitimate channels even at the cost of blocking CloudFlare. > It’s precisely because CloudFlare isn’t responding like other CDNs to reasonable demands to cut off pirate origin sites that this mess exists. If they reacted quickly to remove configurations that are obviously facilitating copyright infringement, Spain wouldn’t resort to full scale ASN blocking. Apropos of anything else, CF is (reasonably) requiring a court order to remove offending material rather than just "well, company said so, so eh, just do as they say". La Liga complains that "oh, that's too slow for what we want" and just got a blanket ruling. I am not a fan of CF but your argument seems to be "CF should just roll over any time someone says "hey, delete this", because, obviously, everyone knows it's problematic, right? Right?". At least the DMCA in the U.S. has guardrails: not just anyone can send a takedown demand for everything. The requester has identify the works and declare under penalty of perjury that they are operating on the behalf of the owner. I imagine the equivalent EU law has similar requirements. CloudFlare uses legal chicanery to try to subvert the DMCA by claiming that because they’re not the origin server, they’re not subject to takedown demands. So far no court has told them to knock it off. I expect that day will eventually come. Every lawsuit against them to date has ended in a settlement because CloudFlare would rather pay up than get an unfavorable ruling on the books. CloudFlare has consistently treated loss of DMCA safe harbor protection as a material business risk; it’s been cited in every SEC filing from the 2019 IPO S-1 through the FY2025 10-K. Nobody cares about the DMCA guardrails and they are never meaningfully enforced. Case in point, Anthropic DMCAing thousands of repositories that simply mentioned the word "claude". > At least the DMCA in the U.S. has guardrails: not just anyone can send a takedown demand for everything. The requester has identify the works and declare under penalty of perjury that they are operating on the behalf of the owner. You'd think so, but no. DMCA came into effect 28 years ago. All those decades, all those billions of takedowns, and you don't even need the fingers of one hand to count those who've been hit with perjury for a false takedown request, because the number is ... zero. You might misunderstand what the law requires. The person making the complaint (demand) only has to declare under penalty of perjury that they represent the copyright holder. It does not require them, under penalty of perjury, to be correct about the underlying facts. See 17 U.S.C. 512(c)(3)(A): "(A) To be effective under this subsection, a notification of claimed infringement must be a written communication provided to the designated agent of a service provider that includes substantially the following: ... "(vi) A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed." In other words: someone issuing a notice of infringement relating to a Disney work must declare under penalty of perjury that they represent Disney. They don't have to declare under penalty of perjury that the work is in fact a Disney work, that the title is correct, that the use in question is not fair use, etc. This would explain why you're not seeing what you expect to see. cf is failing to comply with Spanish law and as a result is being blocked in Spain I can agree on how much power on the global traffic they have, but this blocks affect many other CDNs like Fastly, Akamai, CDN77, BunnyCDN, Alibaba... Spain is mandating their ISPs block cloudflare to stop people from illegally streaming soccer games. Cloudflare isn't the one doing the blocking.
danirod - 13 hours ago
pxc - 12 hours ago
RiverCrochet - 9 hours ago
Spooky23 - 7 hours ago
jazzyjackson - 7 hours ago
mschuster91 - 9 hours ago
RiverCrochet - 9 hours ago
angry_octet - 5 hours ago
sneak - 9 hours ago
nrds - 10 hours ago
freetanga - 12 hours ago
embedding-shape - 11 hours ago
ryandrake - 10 hours ago
embedding-shape - 10 hours ago
sneak - 9 hours ago
bombcar - 7 hours ago
drnick1 - 2 hours ago
rock_artist - 8 hours ago
lentil_soup - 11 hours ago
embedding-shape - 11 hours ago
emptysongglass - 9 hours ago
loloquwowndueo - 10 hours ago
embedding-shape - 10 hours ago
bakugo - 12 hours ago
cluckindan - 11 hours ago
hunterpayne - 4 hours ago
embedding-shape - 11 hours ago
estebarb - 8 hours ago
the_gipsy - 12 hours ago
miki123211 - 13 minutes ago
estebank - 12 hours ago
encom - 11 hours ago
embedding-shape - 11 hours ago
bombcar - 7 hours ago
j0057 - 4 hours ago
trailheadsec - 4 hours ago
tobz1000 - 10 hours ago
boredatoms - 11 hours ago
tryauuum - 10 hours ago
peanut-walrus - 10 hours ago
tryauuum - 10 hours ago
necovek - 9 hours ago
out_of_protocol - 8 hours ago
bryan_w - 2 hours ago
toast0 - 9 hours ago
swiftcoder - 8 hours ago
psychoslave - 10 hours ago
tryauuum - 10 hours ago
psychoslave - 9 hours ago
fc417fc802 - 9 hours ago
necovek - 8 hours ago
fc417fc802 - 8 hours ago
utrack - 14 hours ago
mr_mitm - 13 hours ago
michaelt - 11 hours ago
n6242 - 11 hours ago
KAMSPioneer - 10 hours ago
spwa4 - 11 hours ago
ryandrake - 10 hours ago
array_key_first - 23 minutes ago
necovek - 8 hours ago
joquarky - 8 hours ago
hunterpayne - 3 hours ago
cool_dude85 - 2 hours ago
lentil_soup - 11 hours ago
mlyle - 10 hours ago
pxc - 2 hours ago
mlyle - an hour ago
pxc - 10 minutes ago
gruez - 11 hours ago
teaearlgraycold - 9 hours ago
Pay08 - 9 hours ago
swiftcoder - 8 hours ago
bartread - 7 hours ago
hunterpayne - 3 hours ago
quadrifoliate - 13 hours ago
maest - 11 hours ago
post-it - 11 hours ago
encom - 11 hours ago
prmoustache - 13 hours ago
bakugo - 12 hours ago
sva_ - 7 hours ago
aftbit - 6 hours ago
mrvaibh - 13 hours ago
The real fix on your end until Spain sorts this out: set up a pull-through registry cache (e.g. registry:2 with proxy.remoteurl) on a VPS outside Spain, and point your Docker daemon's mirror config at it. Your
GitLab runner pulls from the cache, the cache pulls from Docker Hub via a non-blocked IP. Also insulates you from Docker Hub rate limits.
But yeah, the fact that a court order about football streaming can break docker pull for an entire country is genuinely absurd.
embedding-shape - 11 hours ago
tom1337 - 11 hours ago
mcintyre1994 - 8 hours ago
tom1337 - 8 hours ago
kjs3 - 7 hours ago
littlecranky67 - 9 hours ago
jacquesm - 10 hours ago
hunterpayne - 3 hours ago
jjcm - 10 hours ago
Self-Perfection - 3 hours ago
jcalvinowens - 11 hours ago
spwa4 - 11 hours ago
Ikatza - 5 hours ago
torben-friis - 11 hours ago
littlecranky67 - 11 hours ago
pier25 - 10 hours ago
rmonvfer - 6 hours ago
swiftcoder - 9 hours ago
pjc50 - 13 hours ago
dabinat - 3 hours ago
DocTomoe - 12 hours ago
lentil_soup - 12 hours ago
afh1 - 11 hours ago
lentil_soup - 11 hours ago
embedding-shape - 11 hours ago
ryandrake - 10 hours ago
embedding-shape - 10 hours ago
redbell - 4 hours ago
yangm97 - 11 hours ago
tabwidth - 5 hours ago
samgranieri - 7 hours ago
Self-Perfection - 4 hours ago
ethin - an hour ago
gchamonlive - 11 hours ago
Kamshak - 10 hours ago
baobabKoodaa - 5 hours ago
drnick1 - 2 hours ago
Robdel12 - 2 hours ago
danpalmer - an hour ago
pfortuny - 10 hours ago
swiftcoder - 8 hours ago
aftbit - 6 hours ago
zeafoamrun - 5 hours ago
amarant - 9 hours ago
swiftcoder - 8 hours ago
amarant - 8 hours ago
HDThoreaun - 8 hours ago
vaylian - 14 hours ago
embedding-shape - 11 hours ago
ryandrake - 10 hours ago
embedding-shape - 10 hours ago
giorgioz - 11 hours ago
echoangle - 10 hours ago
jesuslop - 9 hours ago
postepowanieadm - 9 hours ago
userbinator - 5 hours ago
rcarmo - 7 hours ago
Chrisszz - 7 hours ago
sva_ - 7 hours ago
ordersofmag - 10 hours ago
manquer - 4 hours ago
hunterpayne - 3 hours ago
manquer - 2 hours ago
msully4321 - 6 hours ago
ordersofmag - 2 hours ago
lokar - 9 hours ago
Jare - 11 hours ago
sigio - 14 hours ago
darkwater - 13 hours ago
Mordisquitos - 13 hours ago
darkwater - 12 hours ago
chrismustcode - 13 hours ago
chmod775 - 13 hours ago
echoangle - 10 hours ago
chmod775 - 7 hours ago
mr-wendel - 12 hours ago
prmoustache - 13 hours ago
darkwater - 12 hours ago
prmoustache - 12 hours ago
marginalia_nu - 12 hours ago
ufocia - 13 hours ago
skgsergio - 13 hours ago
littlecranky67 - 12 hours ago
archon810 - 4 hours ago
Dibby053 - 10 hours ago
integralid - 7 hours ago
JoshTriplett - 8 hours ago
jimaek - 13 hours ago
ImJasonH - 13 hours ago
ai_slop_hater - 11 hours ago
jimaek - 11 hours ago
wqtz - 13 hours ago
a_t48 - 4 hours ago
jimaek - 12 hours ago
wqtz - 12 hours ago
a_t48 - 4 hours ago
blurb4969 - 9 hours ago
fc417fc802 - 8 hours ago
blurb4969 - 8 hours ago
fc417fc802 - 8 hours ago
anthk - 13 hours ago
quadrifoliate - 13 hours ago
buzer - 11 hours ago
anthk - 13 hours ago
mschuster91 - 9 hours ago
fc417fc802 - 9 hours ago
mschuster91 - 6 hours ago
fc417fc802 - 4 hours ago
dmitrygr - 10 hours ago
richwater - 12 hours ago
gruez - 11 hours ago
nslsm - 10 hours ago
gruez - 10 hours ago
hunterpayne - 2 hours ago
gruez - an hour ago
embedding-shape - 11 hours ago
hunterpayne - 2 hours ago
chrz - 6 hours ago
estebank - 11 hours ago
renewiltord - 11 hours ago
post-it - 11 hours ago
renewiltord - 11 hours ago
embedding-shape - 11 hours ago
renewiltord - 11 hours ago
mathfailure - 13 hours ago
Cpoll - 13 hours ago
sph - 13 hours ago
petcat - 13 hours ago
adrian_b - 12 hours ago
post-it - 11 hours ago
encom - 11 hours ago
post-it - 10 hours ago
bethekidyouwant - 10 hours ago
encom - 10 hours ago
NO CARRIER
+CREG: 0,0
fc417fc802 - 8 hours ago
Duwensatzaj - 12 hours ago
sph - 11 hours ago
otterley - 11 hours ago
FireBeyond - 9 hours ago
otterley - 9 hours ago
willdr - 5 hours ago
FireBeyond - 5 hours ago
otterley - 18 minutes ago
jbxntuehineoh - 12 hours ago
skgsergio - 13 hours ago
petcat - 13 hours ago
