Tell HN: Docker pull fails in Spain due to football Cloudflare block
RU version is available. Content is displayed in original English for accuracy.
> error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com
First blaming tailscale, dns configuration and all other stuff. Until I just copied that above URL into my browser on my laptop, and received a website banner:
> El acceso a la presente dirección IP ha sido bloqueado en cumplimiento de lo dispuesto en la Sentencia de 18 de diciembre de 2024, dictada por el Juzgado de lo Mercantil nº 6 de Barcelona en el marco del procedimiento ordinario (Materia mercantil art. 249.1.4)-1005/2024-H instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital, S.L.U. https://www.laliga.com/noticias/nota-informativa-en-relacion-con-el-bloqueo-de-ips-durante-las-ultimas-jornadas-de-laliga-ea-sports-vinculadas-a-las-practicas-ilegales-de-cloudflare
For those non-spanish speakers: It means there is football match on, and during that time that specific host is blocked. This is just plain madness. I guess that means my gitlab pipelines will not run when football is on. Thank you, Spain.
Discussion (332 Comments)Read Original on HackerNews
Every response and comment from LaLiga, the football organization responsible for this, has been so far that this is a minor issue that only affects a few bunch of nerds who talk about "docker images" or "github repositories" or "whatever that means".
Meanwhile, there are testimonies of smart home devices like anti-theft alarms or automatic doors, that stop working whenever there is a football match, because their backends rely on Cloudflare.
Last week, a woman asked for help on social media, as the GPS tracking app she uses to see where her father with dementia is, went offline during a match. It was getting late and he still wasn't back home, and she couldn't locate the tag he was wearing to find him: https://www.infobae.com/america/agencias/2026/04/05/laliga-d...
It's hard to say this, because no one should experience an event like this, but as stressful as these are, it's the only way to make the mainstream people care about this censorship. "I cannot pull a docker image" will never be on nightly news, but safety and personal security is a more powerful driver for discourses.
This is generally how the GFW works in China. Instead of an overbearing nanny like a school or corporation's DNS blocker, you're left with a sense that you're on a version of the Internet that is just intermittently and somewhat mysteriously broken.
And indeed, in China, a lot of things that probably aren't fully intended to be blocked are not reliably accessible. Implementation varies, so you get strange routing and peering issues. It feels like an Internet that isn't fully formed, that hasn't finished coming together yet.
Nation states and corporations obviously gain some things sometimes by having Internet censorship/blocking frameworks in place. Maybe, sometimes, ordinary people even benefit, too, if it helps shut down illegal and genuinely harmful businesses.
But it feels like the whole world is gradually trending towards more and more Internet censorship without realizing that we are un-building a miraculous thing that took enormous effort and cleverness and expense to build. I wish we could think about this not only in terms of freedom (and we absolutely should think about it in terms of freedom), but how we are disintegrating the infrastructure of communication and computing.
The counter-reaction to this era will include additional communication control.
These were ripe with espionage, wiretapping and sabotage. Access to it used to be highly restricted as well, up until the 90s for example you were only allowed to connect government-licensed modems to the German PSTN directly.
That's actually just how the Internet is. Nothing to do with the great firewall.
I've claimed financial loss, claimed sanity loss and everything in-between, but I'm afraid unless something reaches the European/EU courts, Spain will continue to be in the pocket of the La Liga owners.
Straight up fucking censorship with wide collateral being completely accepted in a Western country in 2026, beyond comprehension how this is allowed.
(Sadly as living in Spain for about a year I’m still not in such place to raise this or understand the full steps needed)
I mean, didn’t El Salvador and Honduras go to war over football back in the 60’s? And I seem to recall there was a football match which helped precipitate the dissolution of Yugoslavia - national identities coalesced around football tribes.
We've never guaranteed the right to free speech and because we haven't it's a slippery slope all the way back down to the furnaces of autocracy we sprang from.
The Spanish president has come out on record saying we don't deserve anonymity on the internet.
Snail mail uses up physical space so it might get more attention, it would be hilarious to see news reports of truckloads of complaint mail being dumped in front of the whatever office.
This is a great idea, we definitively should make this happen! If people are curious on collaborating on something, reach out, email in profile (English or Spanish emails welcome!).
And when purchasing a product, there's no "bill of materials" telling you about the services it relies on, beyond "internet connection" at best.
I think lots of countries block Cloudflare whole-sale.
Laundering IP addresses for (or against) shady purposes is, in fact, Cloudflare's whole business. It's a wonder Cloudflare isn't being blocked more often.
I'm not saying this situation isn't bullshit, but the bigger problem is that CloudFlare is now "fundamental internet infrastructure". This is precisely the situation that the internet was designed to prevent.
Yesterday I got stuck in endless CloudFlare CAPTCHA's, trying to access theretroweb.com. I had to give up. Many such cases. I hate CloudFlare so much, it's unreal.
Without Cloudflare, you can censor whatever you want. If you have the support of an (undemocratic) government on your side, you can even DeDoS them, making sure that information critical of you cannot see the light of day.
You may like that the platform is open by default to everybody, but that's the obvious consequence.
Translation: go away kid, we're trying to make money here.
The fault here lies 100% with horribly designed IoT devices that turn into bricks when they lose internet connection.
A VPN won't help against government blanket outages, where the target is complete control of communications, and attempts to circumvent may result in extreme penalty. In this case, where the government policy is to stop unauthorized streaming, and collatoral damage is acceptable, a VPN hosted in a more favorable location is likely to work enough. Afaik, I don't think Spain has the political appetite to block VPNs and such during football matches.
You can still fight the political issue with political means, but in the mean time, you can also get work done.
What technical solutions can't change is the underlying social dynamics.
When the La Liga match starts, everything that's proxied via CF (including zero access reverse tunnels) stops working.
There's even a website made for checking if the match is on: https://hayahora.futbol/
You can check if your host is affected: https://hayahora.futbol/#comprobador&domain=docker-images-pr...
Pirates would rather not be blocked, so they create a new, disposable website for every game. Any blocking must happen fast.
Cloudflare would rather not block websites without a court order specifying the sites to be blocked.
The courts would rather not create a special fast lane through the courts, just to resolve a squabble between two huge corporations.
Funny enough, I work in IT and I've had to use a VPN to be able to do my job when soccer is on, but my two non-tech-savy family members that do watch soccer using pirate livestreams say that they've never had any issues with blocked streams.
why would they?
> squabble between two huge corporations
I think this is just LaLiga using it's cultural and economical power, don't think Cloudflare or the courts should be making exceptions just so they can control how people watch football
Looks like same old regulatory capture.
https://xcancel.com/eastdakota/status/2009654937303896492
Everyone looks bad in this conflict.
https://www.shadertoy.com/view/lscczl
Performing security verification
This website uses a security service to protect against malicious bots. This page is displayed while the website verifies you are not a bot. Incompatible browser extension or network configuration
India has consistently been at the top of the number of Internet blackouts anywhere in the world for years (Access Now keeps track of this through its KeepItOn project). These tend to be brief and localized, triggered by something as mundane as an exam or protest or local incident. It’s such a routine occurrence here that there’s even a reflexive response: mobile data works differently from other connectivity types, so go with that, try new DNS settings, rely on Telegram instead of WhatsApp when the latter fails you, and always have a list of mirrors.
What’s fascinating about this case is that it’s identical except for who is pressing the button LaLiga, a privately owned entity, in place of the government.
AFAIK, they're not doing "blanket IP blocking", they're intercepting requests based on DNS and IP, and try to serve their own certificates and their own content. Obviously, in most cases it fails, as the certificate doesn't match the site, so the browser rejects it, but as far as I can see and tell, there is no "blanket IP blocks", more like "DNS and IP interception".
The difference doesn't really matter in practice, sucks regardless, but I thought I'd clarify for the ones who are not experiencing these blocks themselves at least.
Someone needs to write a heist movie set in Spain where a key part of the plan is they steal something while La Liga is blocking some key security route.
https://int.assemblea.cat/civil-and-human-rights-abuses/tool...
For context, Spain is a full constitutional democracy, subject to the jurisdiction of the European Court of Human Rights, with a free(ish) press, independent judiciary, and regular elections — none of which Assemblea itself disputes, because it participates in all of them. The events OP is referencing (the 2017 independence referendum aftermath) were reviewed by European courts, and the outcomes were, shall we say, not quite the narrative Assemblea sells on its website.
If there are genuine, documented human rights concerns, I'd welcome impartial sources from the Supreme Court or the ECHR.
What I'd push back on is treating a political lobby's own press releases as neutral reporting. You should do better than that here, OP.
https://www.ohchr.org/en/press-releases/2022/08/spain-violat...
(why? Let's be honest: Catalunya would benefit enormously from independence, but when the economy goes well, as it did from 2001-2007, they're fine. After that the situation worsened again. The situation is simple: Catalunya has a much better economy than Spain and could maintain government spending, whereas being part of Spain, they need to cut social spending)
The Spanish government has violently repressed this, attacked the people, arrested politicians, tried to threaten other EU nations with invasion (yes, seriously, the current government has a few "rough edges", even if I would agree if someone said that any other party would be worse) unless they arrest Catalunya politicians (then did nothing when they told them to go f themselves), and this mostly with the agreement of regular Spaniards.
Given what is happening in the EU (10+ years of slowly but unrelentingly worsening economy) the situation is slowly worsening again.
I'd like to suggest some steps that might/should be followed, which I will not pursue personally but in my defense - I do not live in Spain and not affected.
1) (first! low-effort) Somebody should create any space on the internet, where such anecdotes might shared and probably people with common goals of fixing internet access in Spain will meet. E.g. telegram group, discord channel, subreddit...
2) probably create wiki with related research: legal framework and possible actions etc
3) Raise public awareness. Create a resource/website with schedule of past and future "semi-blackouts", simple explanation of possible effects a layman may notice etc
4) Explore legal actions that might be taken. How this issue might be forced to be discussed by politicians? For instance I know that Portugal has official mechanism to put forward petitions, that will be discussed in parliament if get enough votes [1]
Space of possible demands in such petitions is vast. For instance:
- Make LaLiga compensate partly price of internet access
- Force LaLiga to include education notice in the beginning and the of translation with title like "Start of reduced internet connectivity" / "End of reduced internet connectivity"
[1] https://participacao.parlamento.pt/initiatives/
Decentralised infrastructure: good
Centralised infrastructure: bad
Good and bad for you, of course. For the big companies selling and controlling this stuff, it's vice versa.
Just stay alert and don't chain yourself with big tech dependencies. The reason Git is great is its decentralised nature. If you got so far, why cripple yourself by running your traffic through a single American company like Cloudflare?
My game's server is blocked in Spain whenever there's a football match on: https://news.ycombinator.com/item?id=45358433
Spain’s LaLiga has blocked access to freedom.gov: https://news.ycombinator.com/item?id=47114235
Cloudflare’s authoritative DNS uses EDNS Client Subnet (ECS) to return different IP pools based on where the query originates. Spanish resolvers get IPs from a range that La Liga blocks. If your recursive resolver is physically outside Spain (or you use DoH/DoT to tunnel to one), Cloudflare returns a different, unblocked pool.
AdGuard DNS works well for this.
This is also not new behaviour - Theo posted a YouTube about it nearly a year ago[1].
[1]: https://www.youtube.com/watch?v=1-geGEYEw7g
Netblock do not work and will never work.
Humankind is not doing well with implementing new policies. We should really strive for each new policy (like in this case - blocking access to some parts of internet during soccer games):
- Consider running policy in small scale scenario (e.g. testing blocking in small parts of Spain before whole country rollout)
- Implement channels to gather info from those who are faced with results of policy implementation (in this case: the op got webpage with description why the page is blocked - a bit of sanity! It would be better if it was served with HTTP code 451)
- Policy instructions
- When deciding on policy put a date at which policy should be reconsidered and revised using data collected during the time when it was in effect
- ... and some more I have not thought about.
Let's strive to cultivate this principles in all life areas where we can affect how new policies are implemented.
(edit: linebreaks)
(The trial was initiated by LaLiga and Telefonica...).
"Telefonica" is the (exclusive) distributor for the rights of streaming the matches, and is only (of course?) the main consumer (and business) Telco in Spain: they are in a game they cannot lose. This is such an abuse and no government (this, past, whichever) has done anything about it.
The last domestic TV deal they signed recently was worth $6B for 5 seasons or so, which is what you are proposing they buy.
In enterprise value terms that $1B/year growing 6 %YoY is worth a lot more than $5B.
In contrast Cloudflare has a $2.5B revenue albeit growing much faster but also has much smaller earnings or free cash flow, I.e. money they are not spending to make their current revenue.
They make about $25m a year in profit. Cloudflair actually looses a small amount of money on 2.5x the revenue. However, Cloudflairs market cap is about 100x that of RM's and that's because they have a growing business, in a growing industry and can easily become profitable when needed. That's probably not possible for RM and their very pricey lineup of players.
Real Madrid owns the Bernabeu a valuable piece of real estate in the heart of Madrid and many other assets the Real Madrid brand is very monetizable .
Sports team have been consistently growing businesses in every major sport in both Europe and US. Comparing a sports team and SaaS company is hardly going to be apples to apples with different asset , revenue, brand and monopoly and strategic profiles.
——
The risk to the league due to piracy is the value of the television deal. The buyer paying $1B/yr (DAZN) is the reason for this enforcement.
If Cloudflare wants to buy this problem away that is what they need — The $1B deal growing 5-6% YoY and get into the streaming business .
Prime alone is expected to spend $4B on live sports rights this year. It is very expensive space with everyone from Apple to Google and Netflix to sovereign funds going deeper every year .
The streaming revenues otherwise aren’t expected to be massively grow so this is the content play that is least risk - compared to investing in say 4-5 blockbuster movies or tv series this is far more predictable and consistent revenue stream.
But no, it's apparently to stop piracy!? Turning off half the internet, and mostly the legitimate parts at that (since when do pirates use cloudflare?) seems like probably the worst method to go about it.
Someone ought to start streaming those games illegally without using cloudflare just to demonstrate how stupid this policy is
Oh, the icing on the cake is that they already do. While my whole dev stack gets shut off every weekend, my neighbour watches pirate futbol streams just fine - not only is it a stupid policy, it's an ineffective one, and the pirates bypassed the bans ages ago
Talk about unfair business practices!
It isn't even an authoritative regime censoring something, but much more silly.
1. If nix fails to pull anything, it builds (up to and including Linux kernel and compiler).
2. Nix has several ways to build OCI images, some even faster to assemble and slimmer output of official Docker tooling.
3. It is allowed several providers for same artefact to resolve pull.
If nix fails to pull things from its binary cache, it will download the "sources" of the derivations, which are hosted in various places and so it's even more likely an overly broad block impacts one of them.
This football block very well could also cover GitHub, cdn.kernel.org, and so on, so nix building things could fail just as easily.
The solution isn't to use something else which can download source code from 100s of sites across the internet to compile as a fallback, it's to not use internet which sporadically blocks sites hosting developer assets.
The solution is not technical, it's political.
2. Even if kernel.org or GitHub.com will be blocked, it likely than not it already was cached by nixos org cache or community cache or cachix or by your CI or by you workstation.
What Spain does is basically censorship and it's very poorly executed. The docker image registry is only one out of the many collateral victims of this stupid law.
Basically? It is censorship, with huge collateral damage and regardless of how much we complain or share evidence that the blocks are actually financially harming us, no one seems to care as long as La Liga gets to freely block whatever hoster of websites as they wish.
womenonweb.org for example was inaccessible for years, just unblocked some years ago. During the latest Catalan independence referendum, the Spanish government blocked a bunch of websites, not the very least the official website of the referendum itself.
This is just one of the most recent cases, and so far the one with widest regular impact.
I think changing your default DNS servers to Google 8.8.8.8 or Cloudflare 1.1.1.1 might bypass the spanish sunday ban on Cloudlflare.
macOS + Cloudlfare 1.1.1.1 https://developers.cloudflare.com/1.1.1.1/setup/macos/
Google 8.8.8.8 https://developers.google.com/speed/public-dns/docs/using
But you can just use a VPN.
https://hayahora.futbol/#sobre-los-bloqueos&domain=taoofmac....
They're blocking the CDN too, not just R2.
It comes in waves, and it’s not enough to affect anything, but it’s very weird because when I did some digging by looking at the ASN there was actually only one active IP address and if I browse to it I get someone’s Synology NAS login page.
Why would someone setup their NAS to randomly keep pinging my homepage?
Or can this be avoided by using an alternate DNS?
Yes, they block IPs belonging to CDNs (CF including R2, BunnyCDN, CDN77, Fastly, Alibaba, Akamai even)...
So much for digital sovereignty :-)
But come on, this can't be true. I wonder how many other people in IT wasted hours on issues and tickets to find out it is due to a football match taking place. Admittedly, chances are low, as football matches are usually outside of office hours.
regards: spanish authorities (who are watching the sportsball and so are better spaniards than you!)
I would really like to understand more about the process that they should follow but didn't / followed but didn't satisfy them / doesn't exist, in order to remove infringing websites quickly from CloudFlare.
They just refuse to take down random things that some media company representatives send their way, without a court order or any oversight. And this is a good thing.
>And this is a good thing.
Disagree. Demanding a court order for every single clear-cut case of infringement reported by the rightful owner of ephemeral content that is a infringed upon hundreds of times every day, causing nearly a billion dollar of losses per year... This is what the ISPs were trying to do and LaLiga successfully sued them, creating the modern fast-lane that CloudFlare complains about. Furthermore, unlike CloudFlare, the ISPs were not even profiting from the illegal content! This is a huge difference in the Spanish legal system. This will not end up good for them or for the open Internet they claim to defend (presumably as an excuse for taking their cut from cybercrime.)
Clear-cut by whose judgement? Surely not the plaintiff, who has demonstrated no care for collateral damage. Witness the many, many fraudulent DMCA takedowns that are regularly sent, for a demonstration of what happens when prospective plaintiffs are given a power of "guilty until proven innocent".
> causing nearly a billion dollar of losses
I thought we were long past people believing the funny-money fake numbers claiming every download is a lost sale.
Cloudflare, rightfully, said that was ridiculous and unreasonable.
A Spanish court, wrongfully, decided to let LaLiga block all of Cloudflare.
Courts orders are, rightfully, slow. A court order is a serious thing and we shouldn't be wasting judges' time and resources to determine if hundreds of domains in CloudFlare, during every single match, are infringing on LaLiga. This is why the Spanish ISPs have a fast-lane with LaLiga to block infringing websites quickly. Why is it ridiculous and unreasonable? If LaLiga starts abusing this power to attack competitors or do anything malicious they will lose that power instantly.
Fastly understood the problem and will start running detection software to ban infringing livestreams in real time. https://www.laliga.com/en-GB/news/fastly-and-laliga-team-up-...
What's CF's solution?
Because everything demonstrated so far has suggested that LaLiga is reasonable and measured? Courts exist for many reasons, among them that we do not trust plaintiffs to always be right or reasonable.
By way of demonstrating that such power is unacceptable, it sounds like LaLiga is also trying to get Spanish ISPs to block all VPNs whenever a game is on.
This is not an entity that can be trusted with power. This is an entity that rightfully should take its whining to a court who can keep its abuses in check. (Unfortunately, the Spanish courts also don't seem willing to keep its abuses in check, which brings us back to the collateral damage problem.)
> Fastly understood the problem
No, Fastly accepted the blackmail that Cloudflare refused.
So, if you want them to build stuff, ask yourself, are there any "Docker Registry" startups out there. If jsdelivr/globalping is not keeping you busy enough... there is an idea
If there's something you'd want out of a registry that you think the market would want, I'm all ears.
Globalping and jsDelivr took years to gain a meaningful user base
I think your name alone carries significant weight in the industry and you have built a very large community.
If you even vibe code something with, you will get a stupid amount of money thrown at you and a contract that bounds your existing projects and the next 3-5 years to a particular company as project lead.
Here is a list of acquisitions Cloudflare made recently: https://blog.cloudflare.com/tag/acquisitions/
Most of these companies did not have a half dozen paying customer or even a fully fleshed-out product before they were acquired.
https://x.com/ahachete/status/2035783292549755228
This is not an issue under the civil code (civilian issues), but something to be dealt under penal (criminal) code.
In Spanish
https://www.fiscal.es/memorias/memoria2020/FISCALIA_SITE/rec...
Oh, and BTW, LaLiga has just partnered with a CF rival.
Now CF can just sue both like hell because of unfair competition:
https://nitter.tiekoetter.com/xataka/status/2042658662850724...
https://x.com/jaumepons/status/1904906677335245294
One relevant would be Yildirim v. Turkey where court ordered blocking access to all Google sites because there was one that where someone insulted the memory of Atatürk. This was due to request from Telecommunications Directorate. This then caused the appellant's website to get blocked as well.
Another one would be Vladimir Kharitonov v. Russia.
But of course, Cloudflare rather prefers to hold their actual large customers (who don't have much of an alternative to CF) and everyday Spaniard users hostage.
How do you propose customers ought to be vetted? Why should a host be expected to take on the duties of a hall monitor? Isn't that the judiciary's job?
I think it is actually Spain using their residents as hostages in an attempt to extort Cloudflare and other large providers. The current situation is best described as blatantly corrupt regulatory capture.
It's driving up the cost and expenses. Operators of legitimate sites don't have to worry during that probation time about anything with the exception of customers in Spain during LL match hours.
LL has ~10 matches / weekend (Fri/Sat/Sun/Mon), that means pirates have to have about 40 domains/CF integrations per month plus more in standby - and more, for longer probation periods.
> How do you propose customers ought to be vetted?
I dunno... stuff like basic KYC measures would be a good start. Copies of ID cards. Government business licenses. Private entities (credit bureaus). Even phone number verification is a serious hurdle for malicious actors, and it ties activities to real world identities that can be held accountable.
Dangerous stuff (e.g. streaming) could only be made available upon a security deposit.
> Why should a host be expected to take on the duties of a hall monitor? Isn't that the judiciary's job?
No, and that we let ISPs get away with ignoring abuse@ emails is part of why the Internet is such a nasty place these days. You need a license to drive a car on public roads, you need an expensive license to fly a small plane, and you need a goddamn massively expensive license to fly a widebody aircraft. So why shouldn't you need to pass some set of verification before you get access to inarguably the Internet's most powerful data pipes?
That's an interesting point. Are their margins so slim that they can't afford less than ~$50 per domain? I'm not familiar with their revenue model.
This is the sort of thing that could be done via the legislature if Spain were serious and playing by the rules. They could require ISPs to do DNS filtering based on domain age during matches. If they really wanted to do service level filtering they could require hosts such as CF to perform geoblocking in a similar manner during matches.
> Dangerous stuff (e.g. streaming) could only be made available upon a security deposit.
Let's set aside for a moment that I think this suggestion is completely absurd. Are these sites using some prepackaged streaming solution? Do you not realize that I can stream video from any machine using software I control? To an approximation the only thing required to scale streaming up to lots of customers is raw bandwidth. If you don't accommodate seeking you can potentially serve thousands of simultaneous streams with a single cheap VPS (in practice this won't work because a cheap VPS won't have a 100 Gbit pipe).
> So why shouldn't you need to pass some set of verification
Since when have you needed a license or verification to publish? You're acting as though a global impressum requirement is the natural state of affairs. Your demand is an affront to free society.
> we let ISPs get away with ignoring abuse@ emails
That seems like an entirely separate matter, if it's even true at all.
> No
Ah yes, a rousing argument. Obviously you must be correct.
You've failed to make a convincing case as to why deciding what is and isn't permissible isn't the job of the judiciary. If Spain wants to change that then they need to pass laws to that effect but in practice those won't have global reach. Thus they might (for example) engage in international lobbying efforts to incorporate a DMCA equivalent for illegal streaming into the global copyright regime.
Failing the above it is Spain that is in the wrong here and I'm happy to see that CF isn't going along with their overbearing and entirely unreasonable nonsense.
But it's among the fastest growing in the EU? Granted, part of this is starting from a low base, but it's hardly "in shambles"
https://data.worldbank.org/indicator/NY.GDP.PCAP.KD.ZG?locat...
The figures I cited are for GDP per capita, which accounts for population growth. Moreover immigration should have the opposite effect of depressing per-capita GDP, because immigrants typically take lower skilled jobs, dragging overall productivity down. So if anything, the figures are artificially depressed, not inflated.
I think most people care more about these things than the GDP statistics tbh.
It’s precisely because CloudFlare isn’t responding like other CDNs to reasonable demands to cut off pirate origin sites that this mess exists. If they reacted quickly to remove configurations that are obviously facilitating copyright infringement, Spain wouldn’t resort to full scale ASN blocking.
How do we know it’s CloudFlare? Because other CDNs like CloudFront, Akamai, Fastly, etc. respond to takedown demands and aren’t being blocked. (Those also cost money and require customer identification.)
In an escalating war between the state and a corporation, the state will always prevail if they have the public’s backing. In Spain it’s clear that most people are happy to watch the match through legitimate channels even at the cost of blocking CloudFlare.
Apropos of anything else, CF is (reasonably) requiring a court order to remove offending material rather than just "well, company said so, so eh, just do as they say". La Liga complains that "oh, that's too slow for what we want" and just got a blanket ruling.
I am not a fan of CF but your argument seems to be "CF should just roll over any time someone says "hey, delete this", because, obviously, everyone knows it's problematic, right? Right?".
I'm not from Spain and instead of Spanish ISP I get a block from CloudFlare.
Now take a wild guess: which one is bigger - some Spanish ISP or CF?