How we solved the Cloudflare IP blocking issue triggered by LaLiga (and saved Redsys payment notifications)

Here’s the professional English translation with all HTML tags, links, and formatting preserved:
Geographic location of the problem: Spain. Global impact.
In recent months, numerous digital companies—including ecommerce, fintechs, and content platforms—have experienced service interruptions due to a measure implemented by LaLiga (The Spanish Professional Football League) in its fight against digital piracy.
One of the most controversial actions has been the blocking of IP ranges managed by Cloudflare, one of the most widely used CDNs worldwide. Among the affected or potentially vulnerable services are giants such as X (Twitter), GitHub, Microsoft, Mozilla, Snapchat, Temu, as well as Spanish entities like Facua, CaixaBank, and Redsys.
LaLiga publishes a form for those affected by the Cloudflare blockage

The Redsys case: how it affects ecommerce and payment platforms in Spain

Several of our clients began reporting serious errors in the communication between Redsys and their ecommerce platforms based on Adobe Commerce / Magento. Specifically:

• The Redsys IPN (Instant Payment Notification) system was unable to send payment confirmation.
• As a result, orders were not marked as paid, invoices were not automatically issued, and failed orders were not canceled.
• Outcome: operational misalignments, loss of control over orders, and the need for manual verification of each sale.

The reason? Redsys’s IP was being blocked by Cloudflare, affecting all stores using this CDN (which are many).

Our solution from Interactiv4: ecommerce prepared for blockages and CDN

At Interactiv4, we have developed a specific solution for this problem and incorporated it into our proprietary Redsys module for Adobe Commerce and Magento Open Source.
Here’s how we solved it:
✅ Alternative domain free of Cloudflare
We created a new subdomain not managed by Cloudflare to receive IPN notifications.
✅ Secure internal redirection
This subdomain serves as a return point for Redsys. Through a server-level configured redirection, the information returns to the main domain without going through Cloudflare.
✅ Double verification
If for any reason the IPN fails, the system rechecks the payment status when redirecting the user after checkout.

Results: from 48% failures to only 1.62%

Before applying this solution:
48.88% of payments were not confirmed correctly.
After implementing it:
The failure rate was reduced to only 1.62%.
These results have allowed our clients to maintain control over their operations and ensure a frictionless shopping experience.

Could it happen again? Yes. But we’re already prepared.

Although this incident relates to LaLiga and Cloudflare, the risk extends to any CDN that acts as an intermediary layer between a payment system and an ecommerce platform.
That’s why having a robust, modular, and flexible solution is key. In ecommerce, every millisecond and every payment counts.

Does your store use Redsys and Cloudflare?

We can help you protect it. Contact us
Specialists in secure payment integrations for Adobe Commerce and Magento.