#: Legitimate Domain Blocked by Spanish ISPs due to Shared IP Blacklisting (LaLiga Court Order)

Hi everyone,

I am looking for advice on how to force an IP rotation or move my domain to a different edge IP range.

The Situation: My domain has become collateral damage in a dynamic blocking campaign by Spanish ISPs (Movistar, Vodafone, Orange) acting on a court order from the Commercial Court No. 6 of Barcelona. These blocks target IP addresses used for illegal football streaming, but since I am on a shared Cloudflare pool, my legitimate dashboard is being blocked alongside them.

Technical Symptoms:

Users in Spain are getting ERR_QUIC_PROTOCOL_ERROR or ERR_ECH_FALLBACK_CERTIFICATE_INVALID.

The block is dynamic: it spikes during matches (like today's Real Madrid vs Betis) and sometimes eases afterwards, but the IP remains "dirty" in many ISP caches.

I have already disabled HTTP/3 and TLS 1.3 to simplify the handshake, but the block is happening at the IP/Infrastructure level.

Question: Since I manage this zone on my own Cloudflare account, what is the most effective way to move away from these "flagged" shared IPs?

Is a Paid Plan (Pro/Business) enough to get moved to a different, cleaner IP range?

Does Cloudflare offer Dedicated or Reserved IPs for Pro/Business zones to avoid sharing infrastructure with high-risk sites?

Has anyone else in Spain dealt with these "LaLiga" dynamic blocks and found a way to request an IP rotation from support?

I have proof of the judicial blocking message shown to my users. Any guidance on how to escalate this or which paid feature would solve this permanently would be greatly appreciated.

?laliga

La Liga (Spanish Football league) is blocking many of Cloudflare's IP ranges in Spain due to allegations of football piracy.
As of March 31st, Cloudflare is suing over this indiscriminate blocking. We recommend telling your local government official how this is impacting you.

This blocking impacts a subset of customers. Upgrading your zone plan may resolve the issue, but that is not a guarantee.
If you're an Enterprise customer, you can use Cloudflare BYOIP to use your own IP address and avoid any blocks against Cloudflare CDN IPs.

https://www.laliga.com/en-ES/news/official-statement-in-relation-to-the-blocking-of-ips-during-the-recent-ea-sports-laliga-matchdays-linked-to-illegal-cloudflare-practices

I'm well aware

"Access to this IP address has been blocked in compliance with the provisions of the Sentence of December 18, 2024, issued by the Commercial Court No. 6 of Barcelona within the framework of the ordinary procedure (Commercial matter art. 249.1.4)-1005/2024-H requested by the National Professional Football League (LaLiga) and by Telefónica Audiovisual Digital, S.L.U.

what am i supposed to do then ?

do you have any idea of what to do?

If you're an Enterprise customer, you can use Cloudflare BYOIP to use your own IP address and avoid any blocks against Cloudflare CDN IPs.

but i'm not

then there's nothing.

sue LaLiga

So eitheri spend a big ammount of money on the enterprise plan, or spend even more money on a lawsuit againts LaLiga mafia

You can at your own risk upgrade to a higher plan. There's no guarantee that those shared IP addresses aren't blocked too, or they may be in the future so there's no refunds as Cloudflare doesn't offer plans for that reason. As posted, the only way to be sure is for dedicated IP addressing with an Enterprise plan.

But do complain to your ISP, Government and the European Commission. LaLiga is pushing that the knock-on effects of their blocks is negligible which is clearly false.

How much can an Enterprise plan cost?

I understand, but that won't solve the issue, it will take forever and no action will be taken

$1000s several per month + dedicated IP cost (or +++ BYIP cost)

Would creating an new cloudflare account on another country, and moving the domain to that new account help?

No

Such an overkill and waste of money

but wouldnt that give me a new ip?

Blocked IPs do shift around as the blocked sites move, check out this site for data....

https://hayahora.futbol/#sobre-los-bloqueos

It may do, it may not. It may be blocked too. Anything you can do the blocked sites can do so it's whack-a-mole. Cloudflare can't act as can't be seen to be avoiding court orders.

Makes sense. But apart from that there is no way of changing IPs?

No. If you can do it, so can the blocked sites and then all Cloudflare IPs would eventually be blocked.

Hi friend, just randomly parachuting here in your help request, have u considered emailing all ISPs in your region or customer's region requesting whitelisting your domains if possible? Not a very good option but could be an option

But sounds like a real bad issue not solvable without switching temporarily to another DNS or proxy (not sure if thats a total cloudfalre dns block or cf proxy specific issue)

ISPs can’t do much. It’s LaLiga who chooses who to ban and ISPs have to do so because of the court order. They admit there’s collateral damages to legitimate business and websites.

A hacky way would be to switch your maindomain.com to another dns server,
set your app to work in 2 domains:
maindomain2.com in cloudflare,
maindomain3.com outside cloudflare,

make maindomain.com an isntant redirect app:

0. load a preload-check-redirect.html page with:
1. an iframe that loads maindomain2.com and check if it loads,
   OR 2. just ping the blocked ips/site with JS
2. if it's blocked redirect to maindomain3.com
3. if it's not blocked open maindomain2.com

main issue would be your app will need to work on both maindomain2.com and maindomain3.com but I think reverse proxies support this easily and can set the 'x-forwarded-for' to maindomain.com so your app will receive 'the user connected through maindomain.com' always.

I’ll look into this tomorrow. Might be a solution.

😄

do u use reverse proxy?

I thinks its just regular proxy

Sorry this is outside of my technical knowledge hahah, im trying my best

reverse proxy is nginx / caddy / traefik

then no, not that i'm aware of

also is this a cloudflare proxy ip block or a cloudflare DNS IP block

if you disable proxy does it work?

might have easier options

The main issue with this approach is that I don’t host the application myself; I am using a white-label SaaS solution managed by a tech provider.

Because of this, I have significant constraints:

Backend Control: I cannot configure the reverse proxy or the application to accept traffic from multiple domains (maindomain2.com, maindomain3.com) or handle the x-forwarded-for headers correctly. The provider has already stated they cannot make custom backend configuration changes for my specific tenant.

Security/DDoS: The provider likely won't allow a "direct" connection (outside Cloudflare) to their origin servers, as that would expose their entire infrastructure to DDoS attacks.

CORS Headers: For the JS/iframe check to work across different domains, the provider would need to adjust their CORS policy on the server, which I don't have access to.

It’s a great architectural solution if I were self-hosting, but since I am locked into their infrastructure and they have refused to modify their backend config, I'm afraid I can't implement this on my end.

im not sure, heres all the spanish league said: https://www.laliga.com/en-ES/news/official-statement-in-relation-to-the-blocking-of-ips-during-the-recent-ea-sports-laliga-matchdays-linked-to-illegal-cloudflare-practices

I might be able to do some changes to the provider's back end, but they have to be minimal, and not affect any other clients

Can you disable cloudflare proxy on your domain to test?

Not sure if they block the nameservers (dns resolving to ip) or proxy ips only

they don't give the info, but i could check on the blocked ip list if u give me your website domain

also which 2 cloudflare nameservers your domain uses (like alexa.ns.cloudflare.com) domain DNS record type: NS

ping -4 ns1.ns.cloudflare
ping -6 ns1.ns.cloudflare
ping -4 ns2.ns.cloudflare
ping -6 ns2.ns.cloudflare
search ip on
https://hayahora.futbol/estado/data.json

if its not there maybe disabling cf proxy for domain could work? or for better security switch to another proxy service temporarily, would be your final option

my dns at least isnt but I'm on another continent not affected probably

on the hayahora.futbol website it says that we are affected by the bans

yea but did they block your domain name, or only cloudflare proxy ips? can you try disabling proxy to test?

I'd guess the "blocking cloudflare ips" means the CF DNS proxy ips, so if u keep only DNS and not DNS+proxy it might work cuz your ip that is behind cloudflare is not blocked

you know cloudflare proxy hides your app's ip

It is the CDN (e.g. HTTP(S)) Proxy IP address that is being blocked by LaLiga.

Switching the Proxy status to Unproxied () / DNS-only during these matches will therefore make the website work again.

(Except if LaLiga is also blocking the IP address(es) of your origin.)

my domain is fine, it's only the proxy on cloudflare

then I can't acces the website

@urban bay @flint quartz

That logic works if I were self-hosting, but I'm running a White-Label SaaS setup, so DNS-only breaks the site.

Here is the architecture:

I own the branded domain (dashboard.maindomain.com).

The tech provider hosts the platform on their infrastructure (techprovider.com).

I point my CNAME to them, but my Cloudflare account handles the SSL termination.

If I disable the proxy (grey cloud), traffic hits the provider's origin directly requesting dashboard.maindomain.com. Since they haven't provisioned an SSL certificate for my specific custom domain on their end (they don't use 'Cloudflare for SaaS' for my tenant yet), the SSL handshake fails immediately.

So basically, without the proxy, I can't establish a secure connection to their platform.

not a hard fix, just point your cloudflare domain to another proxy service or load balancer service for a while, the proxy server or load balancer will point to your tech provider host

either point your domain in cloudflare to the external proxy service, or switch your domain nameserver from cloudflare to another service temporarily. like https://pangolin.net/ is apparently a reverse proxy service , but certainly doesnt have a free plan as generous as cloudflare

cloudflare domain (DNS only = proxy disabled) ---> proxy or load balancer ---> app.techprovider.com

i mentioned this bc its also open source https://github.com/fosrl/pangolin

so u can host it yourself on a serveless or VPS OVH instance to have the same proxy ->host redirections as cloudflare proxy does