diff --git a/Makefile b/Makefile
index 7449389..04cc1e9 100644
--- a/Makefile
+++ b/Makefile
@@ -1,9 +1,20 @@
+timestamp := $(shell cat latest-rulesets-timestamp)
+image := fpf.local/securedrop-https-everywhere-ruleset:$(timestamp)
+
 .PHONY: test-key
 test-key: ## Generates a test key for development/testing purposes locally.
 	openssl genrsa -out key.pem 4096
 	openssl rsa -in key.pem -outform PEM -pubout -out public.pem
 	python jwk.py > test-key.jwk
 
+.PHONY: serve
+serve: ## Builds Nginx container to serve generated files
+	@docker build --build-arg "timestamp=$(timestamp)" -t "$(image)" -f docker/Dockerfile .
+	@echo "=============================================================================="
+	@echo "          Serving ruleset at http://localhost:4080/https-everywhere/          "
+	@echo "=============================================================================="
+	@docker run --rm -p 127.0.0.1:4080:4080 "$(image)"
+
 .PHONY: help
 help:
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
diff --git a/README.md b/README.md
index b681316..10e2a76 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,14 @@ For the production rules this signing must be done via the official signing cere
 
 Once you have the signature, place the files to serve in the root of the git tree in this repository, and then update the directory listing in `index.html` using the `update_index.sh` shell script in this directory.
 
-Inspect the diff. If it looks good, commit the resulting `index.html` and all files to be served.
+# Verifying
 
-Upon merge the ruleset release will be live.
+Inspect the diff. If it looks good, commit the resulting `index.html` and all files to be served. To test locally, run
+
+    make serve
+
+And configure your browser to use `http://localhost:4080/https-everywhere/`.
+
+# Deployment
+
+Upon merge the container will be published to `quay.io/freedomofpress` and the new tag will be deployed automatically.
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 0000000..b0ca2ff
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,10 @@
+# sha256 as of 2020-09-25 for mainline-alpine
+FROM nginx@sha256:4635b632d2aaf8c37c8a1cf76a1f96d11b899f74caa2c6946ea56d0a5af02c0c
+ARG timestamp
+
+COPY docker/nginx.conf /etc/nginx
+RUN mkdir -p /opt/nginx && chown nginx:nginx /opt/nginx
+
+USER nginx
+RUN mkdir -p /opt/nginx/run /opt/nginx/root/https-everywhere
+COPY index.html latest-rulesets-timestamp default.rulesets.${timestamp}.gz rulesets-signature.${timestamp}.sha256 /opt/nginx/root/https-everywhere/
diff --git a/docker/nginx.conf b/docker/nginx.conf
new file mode 100644
index 0000000..e7b88f9
--- /dev/null
+++ b/docker/nginx.conf
@@ -0,0 +1,26 @@
+pid /opt/nginx/run/nginx.pid;
+
+events {
+}
+
+http {
+    include /etc/nginx/mime.types;
+    sendfile on;
+
+    server {
+        listen 4080;
+        port_in_redirect off;
+
+        client_body_temp_path /opt/nginx/run/client_temp;
+        proxy_temp_path /opt/nginx/run/proxy_temp_path;
+        fastcgi_temp_path /opt/nginx/run/fastcgi_temp;
+        uwsgi_temp_path /opt/nginx/run/uwsgi_temp;
+        scgi_temp_path /opt/nginx/run/scgi_temp;
+
+        location / {
+            root /opt/nginx/root;
+            index index.html;
+            rewrite ^/https-everywhere$ $uri/;
+        }
+    }
+}