RSS-Bridge on Ubuntu 24.04 on Azure User Guide
Overview
RSS-Bridge is a popular open source application that generates RSS and Atom feeds for websites that do not publish their own. You pick a bridge from a searchable list, fill in a short form, and RSS-Bridge returns a feed URL you paste into any RSS reader, so you can follow sites, video channels and social accounts in one place again. The cloudimg image installs RSS-Bridge on nginx and PHP 8.3 FPM, then locks it down for a marketplace appliance. Because RSS-Bridge fetches upstream URLs on the requester's behalf, an unprotected instance could be abused by anyone on the internet as an open feed proxy, so the entire interface is placed behind a per VM HTTP Basic Auth gate (user admin, unique password generated on first boot), with only an unauthenticated /healthz endpoint left open for load balancer probes. RSS-Bridge's own configuration is hardened too, with a curated set of bridges and debug mode disabled. RSS-Bridge is stateless with no database to run. Backed by 24/7 cloudimg support.
What is included:
- RSS-Bridge (release 2025-08-05) installed on nginx and PHP 8.3 FPM, with no database to run
- The full RSS-Bridge web UI on
:80, fronted by nginx with a default deny HTTP Basic Auth gate - Per VM HTTP Basic Auth (user
admin) protecting the whole surface, with a unique password generated on first boot - Open proxy protection: only the authenticated owner can generate feeds, so the instance cannot be abused
- A curated
enabled_bridgesset andenable_debug_mode = falseinconfig.ini.phpfor defence in depth - An unauthenticated
/healthzendpoint for Azure Load Balancer health probes nginx.service+php8.3-fpm.serviceas systemd units, enabled and active- The bcrypt Basic Auth hash stored on disk only - no plaintext password ships in the image
- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a comfortable starting point; RSS-Bridge is light on resources. NSG inbound: allow 22/tcp from your management network, 80/tcp for the web UI, and 443/tcp if you add TLS. RSS-Bridge serves plain HTTP on port 80; for production use, terminate TLS in front of it with your own domain and restrict access to trusted IP ranges (see Maintenance).
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for RSS-Bridge by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create -> Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name rss-bridge \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name rss-bridge --port 80 --priority 1010
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm the services are running
systemctl is-active nginx.service php8.3-fpm.service
Both report active. RSS-Bridge runs as PHP under php8.3-fpm, and nginx fronts it on port 80 and adds the per VM HTTP Basic Auth gate. PHP-FPM listens only on a local unix socket, so nginx is the only way in.

Step 5 - Retrieve your web UI password
nginx protects the whole RSS-Bridge interface with HTTP Basic Auth. The username is admin and a unique password is generated on the first boot of your VM and written to a root only file:
sudo cat /stage/scripts/rss-bridge-credentials.log
This file contains RSS_BRIDGE_USERNAME, RSS_BRIDGE_PASSWORD and the RSS_BRIDGE_URL to open in a browser. The password is stored on disk only as a bcrypt hash in /etc/nginx/.rss-bridge.htpasswd, so no plaintext password ships in the image. Store the password somewhere safe.

Step 6 - Confirm the health endpoint
nginx serves an unauthenticated health endpoint for load balancers and probes:
curl -s http://localhost/healthz
It returns ok. This endpoint never requires authentication, so it is safe for an Azure Load Balancer health probe. It is the only path that is reachable without the password.
Step 7 - Confirm the open proxy protection
Because a password is set on first boot, an unauthenticated request to the interface returns HTTP 401, so nobody can drive RSS-Bridge without the password. This is what stops your instance being abused as an open feed proxy. The following reads the per VM password from the credentials file and proves the round trip - unauthenticated is rejected, a wrong password is rejected, and the correct password authenticates:
PW=$(sudo grep '^RSS_BRIDGE_PASSWORD=' /stage/scripts/rss-bridge-credentials.log | cut -d= -f2-)
echo "unauth : $(curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1/)"
echo "wrongpw : $(curl -s -o /dev/null -w '%{http_code}' -u admin:wrong-pw http://127.0.0.1/)"
echo "authed : $(curl -s -L -o /dev/null -w '%{http_code}' -u admin:$PW http://127.0.0.1/)"
It prints unauth : 401, wrongpw : 401 and authed : 200. The whole interface is only reachable with the per VM password.

Step 8 - Generate a feed from the command line
The image ships a small built-in self-test page, reachable only on loopback, so you can confirm the feed pipeline end to end without depending on an external site. The following authenticates with your per VM password and asks the CSS Selector Bridge to turn that page into an Atom feed:
PW=$(sudo grep '^RSS_BRIDGE_PASSWORD=' /stage/scripts/rss-bridge-credentials.log | cut -d= -f2-)
curl -s -u "admin:$PW" -G http://127.0.0.1/ \
--data-urlencode action=display \
--data-urlencode bridge=CssSelectorBridge \
--data-urlencode home_page=http://127.0.0.1/selftest/feed-source.html \
--data-urlencode 'url_selector=article h2 a' \
--data-urlencode format=Atom | head -16
It prints a valid Atom document - an <feed> element with three <entry> items - proving RSS-Bridge can fetch a page, extract items and emit a feed. In the browser you point the same bridge at any real site instead.

Step 9 - Sign in and browse the bridge list
Browse to http://<vm-public-ip>/. Your browser prompts for a username and password: enter admin and the password from Step 5. RSS-Bridge opens on its home page: a searchable list of bridges, each a card describing a site or service it can turn into a feed, with a search box at the top to filter by name, description or URL.

Step 10 - Fill in a bridge form
Click Show more on a bridge card to reveal its form. For the CSS Selector Bridge - which turns any page into a feed - enter the page URL under Site URL and a CSS selector for the article links under Selector for article links (for example article h2 a). The optional fields let you filter URLs, expand article content and set a limit. Click Generate feed to produce the feed.

Step 11 - Read the generated feed
RSS-Bridge opens the generated feed. In the HTML view each extracted item is shown as a card with its title and link, and a row of format buttons - Atom, Json, Mrss, Plaintext - lets you switch the output format. This is the feed your RSS reader will consume.

Step 12 - Subscribe in your RSS reader
Choose Atom (or Mrss) to get the raw feed URL, then copy it into your RSS reader. Because the whole interface is behind HTTP Basic Auth, include the credentials in the subscription - most readers accept a URL of the form http://admin:your-password@<vm-public-ip>/?action=display&bridge=..., or a separate username and password field. The reader then polls the feed on its own schedule.

Step 13 - Enable more bridges
The image enables a curated set of bridges (the generic CSS Selector, XPath, Feed Merge, Feed Reducer and Filter bridges plus popular site bridges) rather than all of them. To enable another bridge, add it to the [system] section of the RSS-Bridge configuration; no nginx reload is needed, as the change is picked up on the next request:
sudo nano /var/www/rss-bridge/config.ini.php
# under [system], add a line such as:
# enabled_bridges[] = VimeoBridge
# save, then just refresh the browser
The full list of available bridge names is in /var/www/rss-bridge/bridges/. Keep the list curated rather than enabling * (all bridges), so the home page stays focused on the sources you actually use.
Maintenance
- Password: the UI password is set on first boot and stored as a bcrypt entry in
/etc/nginx/.rss-bridge.htpasswd. To change it, runsudo htpasswd -B /etc/nginx/.rss-bridge.htpasswd adminand thensudo systemctl reload nginx. - Enabled bridges: edit the
enabled_bridges[]lines under[system]in/var/www/rss-bridge/config.ini.php. Keep it curated rather than*, and leaveenable_debug_mode = falsein production. - Restrict access: RSS-Bridge serves plain HTTP on port 80. For production, restrict access to trusted IP ranges in your Network Security Group, and front it with TLS (for example certbot with your own domain) terminating on
:443. - Cache: feeds are cached on disk under
/var/cache/rss-bridge. It is safe to clear withsudo rm -rf /var/cache/rss-bridge/*if you want to force a refresh. - Upgrades: RSS-Bridge is deployed under
/var/www/rss-bridge. To upgrade, download a newer release, extract it over the web root preservingconfig.ini.php, and set ownership back towww-data. - Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.
Support
cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.