freedomofpress · emkll · Oct 1, 2020 · Sep 25, 2020 · Sep 30, 2020 · Sep 30, 2020
diff --git a/Makefile b/Makefile
@@ -1,9 +1,20 @@
+timestamp := $(shell cat latest-rulesets-timestamp)
+image := fpf.local/securedrop-https-everywhere-ruleset:$(timestamp)
+
 .PHONY: test-key
 test-key: ## Generates a test key for development/testing purposes locally.
 	openssl genrsa -out key.pem 4096
 	openssl rsa -in key.pem -outform PEM -pubout -out public.pem
 	python jwk.py > test-key.jwk
 
+.PHONY: serve
+serve: ## Builds Nginx container to serve generated files
+	@docker build --build-arg "timestamp=$(timestamp)" -t "$(image)" -f docker/Dockerfile .
+	@echo "=============================================================================="
+	@echo "          Serving ruleset at http://localhost:4080/https-everywhere/          "
+	@echo "=============================================================================="
+	@docker run --rm -p 127.0.0.1:4080:4080 "$(image)"
+
 .PHONY: help
 help:
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
diff --git a/README.md b/README.md
@@ -51,6 +51,14 @@ For the production rules this signing must be done via the official signing cere
 
 Once you have the signature, place the files to serve in the root of the git tree in this repository, and then update the directory listing in `index.html` using the `update_index.sh` shell script in this directory.
 
-Inspect the diff. If it looks good, commit the resulting `index.html` and all files to be served.
+# Verifying
 
-Upon merge the ruleset release will be live.
+Inspect the diff. If it looks good, commit the resulting `index.html` and all files to be served. To test locally, run
+
+    make serve
+
+And configure your browser to use `http://localhost:4080/https-everywhere/`.
+
+# Deployment
+
+Upon merge the container will be published to `quay.io/freedomofpress` and the new tag will be deployed automatically.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -0,0 +1,10 @@
+# sha256 as of 2020-09-25 for mainline-alpine
+FROM nginx@sha256:4635b632d2aaf8c37c8a1cf76a1f96d11b899f74caa2c6946ea56d0a5af02c0c
+ARG timestamp
+
+COPY docker/nginx.conf /etc/nginx
+RUN mkdir -p /opt/nginx && chown nginx:nginx /opt/nginx
+
+USER nginx
+RUN mkdir -p /opt/nginx/run /opt/nginx/root/https-everywhere
+COPY index.html latest-rulesets-timestamp default.rulesets.${timestamp}.gz rulesets-signature.${timestamp}.sha256 /opt/nginx/root/https-everywhere/
diff --git a/docker/nginx.conf b/docker/nginx.conf
@@ -0,0 +1,26 @@
+pid /opt/nginx/run/nginx.pid;
+
+events {
+}
+
+http {
+    include /etc/nginx/mime.types;
+    sendfile on;
+
+    server {
+        listen 4080;
+        port_in_redirect off;
+
+        client_body_temp_path /opt/nginx/run/client_temp;
+        proxy_temp_path /opt/nginx/run/proxy_temp_path;
+        fastcgi_temp_path /opt/nginx/run/fastcgi_temp;
+        uwsgi_temp_path /opt/nginx/run/uwsgi_temp;
+        scgi_temp_path /opt/nginx/run/scgi_temp;
+
+        location / {
+            root /opt/nginx/root;
+            index index.html;
+            rewrite ^/https-everywhere$ $uri/;
+        }
+    }
+}