diff --git a/demo/Caddyfile b/demo/Caddyfile
new file mode 100644
index 0000000..af86290
--- /dev/null
+++ b/demo/Caddyfile
@@ -0,0 +1,37 @@
+{
+	debug
+	order psl first
+	order replace after encode
+	on_demand_tls {
+		ask http://localhost:8012
+	}
+}
+
+:443 {
+	tls {
+		on_demand
+	}
+	log
+
+	@notDemoResource not path /on-demand-tls /resources/*
+	rewrite @notDemoResource /on-demand-tls
+
+	reverse_proxy 10.138.88.42:80 {
+		header_up Accept-Encoding identity
+		header_up Host {upstream_hostport}
+	}
+
+	replace stream {
+		` src="/` ` src="https://caddyserver.com/`
+		` href="/` ` href="https://caddyserver.com/`
+	}
+}
+
+:8012 {
+	bind 127.0.0.1 ::1
+	psl
+	#@allowed `{query.domain} == "caddydemo."+{qs.domain.registered_domain}`
+	@allowed query domain=caddydemo.{qs.domain.public_registered_domain}
+	respond @allowed 200
+	respond 400
+}
diff --git a/demo/README.md b/demo/README.md
new file mode 100644
index 0000000..16fdaba
--- /dev/null
+++ b/demo/README.md
@@ -0,0 +1,5 @@
+This folder contains the Caddy config for the On-Demand TLS demo on the Caddy website.
+
+It is hosted on a separate machine from the Caddy website so we can isolate canary builds in a production environment when necessary.
+
+This config requires the [caddy-psl](https://github.com/mholt/caddy-psl) and [replace-response](https://github.com/caddyserver/replace-response) plugins.