diff --git a/CHANGELOG.md b/CHANGELOG.md
index d58777b986da158ccbbdbe80368a55f40187850b..2c9930f9867ad3f94b14a4b876d120909094ecb8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -41,6 +41,7 @@ be deprecated eventually.
 
 ### Features
 
+- [#2723](https://github.com/influxdata/telegraf/pull/2723): Added SSL configuration for input haproxy.
 - [#2494](https://github.com/influxdata/telegraf/pull/2494): Add interrupts input plugin.
 - [#2094](https://github.com/influxdata/telegraf/pull/2094): Add generic socket listener & writer.
 - [#2204](https://github.com/influxdata/telegraf/pull/2204): Extend http_response to support searching for a substring in response. Return 1 if found, else 0.
diff --git a/plugins/inputs/haproxy/README.md b/plugins/inputs/haproxy/README.md
index 81c8fb894b7072eab511455083894c4dd5a1c52b..fe107b5598839ca49f5229a276ff0ee3fa8ba9af 100644
--- a/plugins/inputs/haproxy/README.md
+++ b/plugins/inputs/haproxy/README.md
@@ -8,6 +8,12 @@
 # SampleConfig
 [[inputs.haproxy]]
   servers = ["http://1.2.3.4/haproxy?stats", "/var/run/haproxy*.sock"]
+#  ssl_ca = "/etc/telegraf/ca.pem"
+#  ssl_cert = "/etc/telegraf/cert.pem"
+#  ssl_key = "/etc/telegraf/key.pem"
+## Use SSL but skip chain & host verification
+#  insecure_skip_verify = false
+
 ```
 
 #### `servers`
diff --git a/plugins/inputs/haproxy/haproxy.go b/plugins/inputs/haproxy/haproxy.go
index 2be418a651a9304f255eaed7b272998f0ed59a3f..151312d6654f8c7a22a06c7d4d6683a5ece934eb 100644
--- a/plugins/inputs/haproxy/haproxy.go
+++ b/plugins/inputs/haproxy/haproxy.go
@@ -14,6 +14,7 @@ import (
 	"time"
 
 	"github.com/influxdata/telegraf"
+	"github.com/influxdata/telegraf/internal"
 	"github.com/influxdata/telegraf/plugins/inputs"
 )
 
@@ -25,6 +26,15 @@ type haproxy struct {
 	client *http.Client
 
 	KeepFieldNames bool
+
+	// Path to CA file
+	SSLCA string `toml:"ssl_ca"`
+	// Path to host cert file
+	SSLCert string `toml:"ssl_cert"`
+	// Path to cert key file
+	SSLKey string `toml:"ssl_key"`
+	// Use SSL but skip chain & host verification
+	InsecureSkipVerify bool
 }
 
 var sampleConfig = `
@@ -45,6 +55,13 @@ var sampleConfig = `
   ## Setting this option to true results in the plugin keeping the original
   ## field names.
   ## keep_field_names = true
+
+  ## Optional SSL Config
+  # ssl_ca = "/etc/telegraf/ca.pem"
+  # ssl_cert = "/etc/telegraf/cert.pem"
+  # ssl_key = "/etc/telegraf/key.pem"
+  ## Use SSL but skip chain & host verification
+  # insecure_skip_verify = false
 `
 
 func (r *haproxy) SampleConfig() string {
@@ -127,7 +144,15 @@ func (g *haproxy) gatherServer(addr string, acc telegraf.Accumulator) error {
 	}
 
 	if g.client == nil {
-		tr := &http.Transport{ResponseHeaderTimeout: time.Duration(3 * time.Second)}
+		tlsCfg, err := internal.GetTLSConfig(
+			g.SSLCert, g.SSLKey, g.SSLCA, g.InsecureSkipVerify)
+		if err != nil {
+			return err
+		}
+		tr := &http.Transport{
+			ResponseHeaderTimeout: time.Duration(3 * time.Second),
+			TLSClientConfig:       tlsCfg,
+		}
 		client := &http.Client{
 			Transport: tr,
 			Timeout:   time.Duration(4 * time.Second),