> error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com
First blaming tailscale, dns configuration and all other stuff. Until I just copied that above URL into my browser on my laptop, and received a website banner:
> El acceso a la presente dirección IP ha sido bloqueado en cumplimiento de lo dispuesto en la Sentencia de 18 de diciembre de 2024, dictada por el Juzgado de lo Mercantil nº 6 de Barcelona en el marco del procedimiento ordinario (Materia mercantil art. 249.1.4)-1005/2024-H instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital, S.L.U. https://www.laliga.com/noticias/nota-informativa-en-relacion-con-el-bloqueo-de-ips-durante-las-ultimas-jornadas-de-laliga-ea-sports-vinculadas-a-las-practicas-ilegales-de-cloudflare
For those non-spanish speakers: It means there is football match on, and during that time that specific host is blocked. This is just plain madness. I guess that means my gitlab pipelines will not run when football is on. Thank you, Spain.
Every response and comment from LaLiga, the football organization responsible for this, has been so far that this is a minor issue that only affects a few bunch of nerds who talk about "docker images" or "github repositories" or "whatever that means".
Meanwhile, there are testimonies of smart home devices like anti-theft alarms or automatic doors, that stop working whenever there is a football match, because their backends rely on Cloudflare.
Last week, a woman asked for help on social media, as the GPS tracking app she uses to see where her father with dementia is, went offline during a match. It was getting late and he still wasn't back home, and she couldn't locate the tag he was wearing to find him: https://www.infobae.com/america/agencias/2026/04/05/laliga-d...
It's hard to say this, because no one should experience an event like this, but as stressful as these are, it's the only way to make the mainstream people care about this censorship. "I cannot pull a docker image" will never be on nightly news, but safety and personal security is a more powerful driver for discourses.
This is generally how the GFW works in China. Instead of an overbearing nanny like a school or corporation's DNS blocker, you're left with a sense that you're on a version of the Internet that is just intermittently and somewhat mysteriously broken.
And indeed, in China, a lot of things that probably aren't fully intended to be blocked are not reliably accessible. Implementation varies, so you get strange routing and peering issues. It feels like an Internet that isn't fully formed, that hasn't finished coming together yet.
Nation states and corporations obviously gain some things sometimes by having Internet censorship/blocking frameworks in place. Maybe, sometimes, ordinary people even benefit, too, if it helps shut down illegal and genuinely harmful businesses.
But it feels like the whole world is gradually trending towards more and more Internet censorship without realizing that we are un-building a miraculous thing that took enormous effort and cleverness and expense to build. I wish we could think about this not only in terms of freedom (and we absolutely should think about it in terms of freedom), but how we are disintegrating the infrastructure of communication and computing.
These were ripe with espionage, wiretapping and sabotage. Access to it used to be highly restricted as well, up until the 90s for example you were only allowed to connect government-licensed modems to the German PSTN directly.
Just like today's Internet. BGP spoofing, CALEA, DDoS.
> Access to it used to be highly restricted as well ...
And this is where the regression or "downfall" is beginning. Access to the Internet (as in ability to send/receive arbitrary data to the wider Internet) is something I bet is going to be increasingly restricted, but most people won't notice because they don't understand the difference between apps and the Internet.
I'd be surprised if direct access to the Internet is possible for consumers in the next 10 years. Everything will have to be through approved apps (age assurance is going to be the catalyst) that work over registered tunnels contracted through ISPs, if there isn't an outright blurring or merger between the concepts of phone/CPE, ISP and CDN. Your non-tech layperson will not know any difference whatsoever if all they use are their phone plan, streaming/banking apps and Facebook.
That's actually just how the Internet is. Nothing to do with the great firewall.
I've claimed financial loss, claimed sanity loss and everything in-between, but I'm afraid unless something reaches the European/EU courts, Spain will continue to be in the pocket of the La Liga owners.
Straight up fucking censorship with wide collateral being completely accepted in a Western country in 2026, beyond comprehension how this is allowed.
(Sadly as living in Spain for about a year I’m still not in such place to raise this or understand the full steps needed)
We've never guaranteed the right to free speech and because we haven't it's a slippery slope all the way back down to the furnaces of autocracy we sprang from.
The Spanish president has come out on record saying we don't deserve anonymity on the internet.
Used my digital certificate (which is installed in the browser), but AFAIK, you can use Cl@ve on that page above too.
In the past, I've cited BOE-A-2022-10757 (https://www.boe.es/buscar/act.php?id=BOE-A-2022-10757), done a reclamació for the repeated loss of lawful access on my connection, and a denúncia about a broader overblocking practice affecting access to lawful services.
Also, supposedly, we should be able to make claims to CNMC as well, but haven't figured out how. Also of course, been complaining to my ISP every time it happens too.
Snail mail uses up physical space so it might get more attention, it would be hilarious to see news reports of truckloads of complaint mail being dumped in front of the whatever office.
This is a great idea, we definitively should make this happen! If people are curious on collaborating on something, reach out, email in profile (English or Spanish emails welcome!).
The fault here lies 100% with horribly designed IoT devices that turn into bricks when they lose internet connection.
And when purchasing a product, there's no "bill of materials" telling you about the services it relies on, beyond "internet connection" at best.
I'm not saying this situation isn't bullshit, but the bigger problem is that CloudFlare is now "fundamental internet infrastructure". This is precisely the situation that the internet was designed to prevent.
Yesterday I got stuck in endless CloudFlare CAPTCHA's, trying to access theretroweb.com. I had to give up. Many such cases. I hate CloudFlare so much, it's unreal.
Right, but on the other hand, our constitution and laws are supposed to give us the rights to access a internet where the government cannot block entire companies who host websites, because a few bad websites are hosted there.
Not to mention all us freelancers, contractors and just in general computing users, who sometimes want to continue working although 90% of the country is watching football, we should be able to do so even if pirates use Cloudflare for shitty stuff.
I agree that Cloudflare sucks, people should avoid defaulting to putting Cloudflare in front of absolutely everything they do and I too get stuck at the CAPTCHAs sometimes. But that doesn't remove the fact that Cloudflare, just like every other lawful company, should be allowed to be visited during La Liga matches.
A VPN won't help against government blanket outages, where the target is complete control of communications, and attempts to circumvent may result in extreme penalty. In this case, where the government policy is to stop unauthorized streaming, and collatoral damage is acceptable, a VPN hosted in a more favorable location is likely to work enough. Afaik, I don't think Spain has the political appetite to block VPNs and such during football matches.
You can still fight the political issue with political means, but in the mean time, you can also get work done.
Unfortunately nobody is quite sure what appetite they have, because LaLiga is doing this all on the back of a relatively narrow judicial ruling that hasn't been reviewed in a long time
What technical solutions can't change is the underlying social dynamics.
What is this "sweet position" you talk about?
I was trying to refer to an actual rebel position, which is actors which use illegal practices to achieve their goals agaisnt institutions in place. Which might have the cool attitude imagery attached to it, but which is certainly not an easy one in reality.
When the La Liga match starts, everything that's proxied via CF (including zero access reverse tunnels) stops working.
There's even a website made for checking if the match is on: https://hayahora.futbol/
You can check if your host is affected: https://hayahora.futbol/#comprobador&domain=docker-images-pr...
Pirates would rather not be blocked, so they create a new, disposable website for every game. Any blocking must happen fast.
Cloudflare would rather not block websites without a court order specifying the sites to be blocked.
The courts would rather not create a special fast lane through the courts, just to resolve a squabble between two huge corporations.
Funny enough, I work in IT and I've had to use a VPN to be able to do my job when soccer is on, but my two non-tech-savy family members that do watch soccer using pirate livestreams say that they've never had any issues with blocked streams.
But the point is that the measure does more to block legitimate use than illegitimate (in my experience). And next they want to go after VPNs. Wonderful.
Surely you understand now. Go about your business, poor person.
why would they?
> squabble between two huge corporations
I think this is just LaLiga using it's cultural and economical power, don't think Cloudflare or the courts should be making exceptions just so they can control how people watch football
Well, in this case, the alternative is all of Spain intermittently blocking lots of Cloudflare.
But if Cloudflare bows to Spain in this case, every jurisdiction will want to pile up lots of special case rules for Cloudflare to try and implement.
Plenty of companies proactively take action against shady users, even if not 100% required under law. Youtube has content id, social media companies have "community guidelines", and ISPs have AUPs.
Looks like same old regulatory capture.
https://xcancel.com/eastdakota/status/2009654937303896492
Everyone looks bad in this conflict.
AFAIK, they're not doing "blanket IP blocking", they're intercepting requests based on DNS and IP, and try to serve their own certificates and their own content. Obviously, in most cases it fails, as the certificate doesn't match the site, so the browser rejects it, but as far as I can see and tell, there is no "blanket IP blocks", more like "DNS and IP interception".
The difference doesn't really matter in practice, sucks regardless, but I thought I'd clarify for the ones who are not experiencing these blocks themselves at least.
Someone needs to write a heist movie set in Spain where a key part of the plan is they steal something while La Liga is blocking some key security route.
https://int.assemblea.cat/civil-and-human-rights-abuses/tool...
This is also not new behaviour - Theo posted a YouTube about it nearly a year ago[1].
[1]: https://www.youtube.com/watch?v=1-geGEYEw7g
Sometimes it works, sometimes it does not, but doing nothing is never an option if you disagree with what they're doing. To think that doing nothing is better than something, that's incredibly naive.
You're right, it possibly has the same effect. How could we figure out what's the actual answer in practice?
(The trial was initiated by LaLiga and Telefonica...).
"Telefonica" is the (exclusive) distributor for the rights of streaming the matches, and is only (of course?) the main consumer (and business) Telco in Spain: they are in a game they cannot lose. This is such an abuse and no government (this, past, whichever) has done anything about it.
But no, it's apparently to stop piracy!? Turning off half the internet, and mostly the legitimate parts at that (since when do pirates use cloudflare?) seems like probably the worst method to go about it.
Someone ought to start streaming those games illegally without using cloudflare just to demonstrate how stupid this policy is
Oh, the icing on the cake is that they already do. While my whole dev stack gets shut off every weekend, my neighbour watches pirate futbol streams just fine - not only is it a stupid policy, it's an ineffective one, and the pirates bypassed the bans ages ago
Talk about unfair business practices!
I think changing your default DNS servers to Google 8.8.8.8 or Cloudflare 1.1.1.1 might bypass the spanish sunday ban on Cloudlflare.
macOS + Cloudlfare 1.1.1.1 https://developers.cloudflare.com/1.1.1.1/setup/macos/
Google 8.8.8.8 https://developers.google.com/speed/public-dns/docs/using
But you can just use a VPN.
What Spain does is basically censorship and it's very poorly executed. The docker image registry is only one out of the many collateral victims of this stupid law.
Basically? It is censorship, with huge collateral damage and regardless of how much we complain or share evidence that the blocks are actually financially harming us, no one seems to care as long as La Liga gets to freely block whatever hoster of websites as they wish.
womenonweb.org for example was inaccessible for years, just unblocked some years ago. During the latest Catalan independence referendum, the Spanish government blocked a bunch of websites, not the very least the official website of the referendum itself.
This is just one of the most recent cases, and so far the one with widest regular impact.
I would really like to understand more about the process that they should follow but didn't / followed but didn't satisfy them / doesn't exist, in order to remove infringing websites quickly from CloudFlare.
Cloudflare, rightfully, said that was ridiculous and unreasonable.
A Spanish court, wrongfully, decided to let LaLiga block all of Cloudflare.
Or can this be avoided by using an alternate DNS?
And even if you managed to get them all beforehand, some VPN providers will adapt and keep some servers in reserve, putting them online just as you managed to block the previous ones. Getting around internet censorship is a large chunk of their business, and some are really good at it.
Big companies don't hide their VPN ASNs. Obscure, for sure, but getting a good list isn't hard. Usually they get blocked.
Smaller companies may pass under the radar, and have higher tolerance for risky strategies.
The fringe providers are the problem. They aggressively change IP ranges, front-vs-obscure ownership, and play dirty. Shady folks will resell residential ranges. End-users often get tainted goods.
... and you still have the collateral damage game when VPNs host infra with big cloud providers vs colofarms vs self-host, etc.
But anyone who is pulling docker images in a sunday afternoon while the rest of the country is glued to their screen to watch a football game or enjoying a sunny sunday outside having beers and tapas and what not should be capable of setting up wireguard.
Yes, they block IPs belonging to CDNs (CF including R2, BunnyCDN, CDN77, Fastly, Alibaba, Akamai even)...
So much for digital sovereignty :-)
But come on, this can't be true. I wonder how many other people in IT wasted hours on issues and tickets to find out it is due to a football match taking place. Admittedly, chances are low, as football matches are usually outside of office hours.
So, if you want them to build stuff, ask yourself, are there any "Docker Registry" startups out there. If jsdelivr/globalping is not keeping you busy enough... there is an idea
Globalping and jsDelivr took years to gain a meaningful user base
I think your name alone carries significant weight in the industry and you have built a very large community.
If you even vibe code something with, you will get a stupid amount of money thrown at you and a contract that bounds your existing projects and the next 3-5 years to a particular company as project lead.
Here is a list of acquisitions Cloudflare made recently: https://blog.cloudflare.com/tag/acquisitions/
Most of these companies did not have a half dozen paying customer or even a fully fleshed-out product before they were acquired.
But of course, Cloudflare rather prefers to hold their actual large customers (who don't have much of an alternative to CF) and everyday Spaniard users hostage.
How do you propose customers ought to be vetted? Why should a host be expected to take on the duties of a hall monitor? Isn't that the judiciary's job?
I think it is actually Spain using their residents as hostages in an attempt to extort Cloudflare and other large providers. The current situation is best described as blatantly corrupt regulatory capture.
https://x.com/ahachete/status/2035783292549755228
This is not an issue under the civil code (civilian issues), but something to be dealt under penal (criminal) code.
In Spanish
https://www.fiscal.es/memorias/memoria2020/FISCALIA_SITE/rec...
Oh, and BTW, LaLiga has just partnered with a CF rival.
Now CF can just sue both like hell because of unfair competition:
https://nitter.tiekoetter.com/xataka/status/2042658662850724...
https://x.com/jaumepons/status/1904906677335245294
One relevant would be Yildirim v. Turkey where court ordered blocking access to all Google sites because there was one that where someone insulted the memory of Atatürk. This was due to request from Telecommunications Directorate. This then caused the appellant's website to get blocked as well.
Another one would be Vladimir Kharitonov v. Russia.
But it's among the fastest growing in the EU? Granted, part of this is starting from a low base, but it's hardly "in shambles"
https://data.worldbank.org/indicator/NY.GDP.PCAP.KD.ZG?locat...
The figures I cited are for GDP per capita, which accounts for population growth. Moreover immigration should have the opposite effect of depressing per-capita GDP, because immigrants typically take lower skilled jobs, dragging overall productivity down. So if anything, the figures are artificially depressed, not inflated.
They should have used a cookie or something else that does not require asking me every few minutes to prove once more that I am not a bot.
There was a time when Cloudflare had become less intrusive, but for the last months it has begun again to intervene almost each time when opening some pages.
There is no doubt that anti-bot protection can be implemented in a better way than Cloudflare does, but presumably the alternatives would consume more resources on their servers, so probably they choose whatever minimizes their costs, regardless if that ensures maximum discomfort for Internet users.
> every uBlock filter enabled and Cookie Auto-delete
Hmm
They're in the walls!
It’s precisely because CloudFlare isn’t responding like other CDNs to reasonable demands to cut off pirate origin sites that this mess exists. If they reacted quickly to remove configurations that are obviously facilitating copyright infringement, Spain wouldn’t resort to full scale ASN blocking.
How do we know it’s CloudFlare? Because other CDNs like CloudFront, Akamai, Fastly, etc. respond to takedown demands and aren’t being blocked. (Those also cost money and require customer identification.)
In an escalating war between the state and a corporation, the state will always prevail if they have the public’s backing. In Spain it’s clear that most people are happy to watch the match through legitimate channels even at the cost of blocking CloudFlare.
Apropos of anything else, CF is (reasonably) requiring a court order to remove offending material rather than just "well, company said so, so eh, just do as they say". La Liga complains that "oh, that's too slow for what we want" and just got a blanket ruling.
I am not a fan of CF but your argument seems to be "CF should just roll over any time someone says "hey, delete this", because, obviously, everyone knows it's problematic, right? Right?".
CloudFlare uses legal chicanery to try to subvert the DMCA by claiming that because they’re not the origin server, they’re not subject to takedown demands. So far no court has told them to knock it off. I expect that day will eventually come. Every lawsuit against them to date has ended in a settlement because CloudFlare would rather pay up than get an unfavorable ruling on the books.
CloudFlare has consistently treated loss of DMCA safe harbor protection as a material business risk; it’s been cited in every SEC filing from the 2019 IPO S-1 through the FY2025 10-K.