diff --git a/cli/main.go b/cli/main.go
index a5b3758..c9f5e14 100644
--- a/cli/main.go
+++ b/cli/main.go
@@ -101,7 +101,7 @@ func start(config *config.Config) {
 		Handler: http.DefaultServeMux,
 	}
 
-	err = server.ServeHTTPAndHandleSignal(lsn, *srv, *config.ShutDownTimeout)
+	err = server.ServeHTTPAndHandleSignal(lsn, *srv, *config.ShutDownTimeout, *config.TLSConfig)
 	if err != nil {
 		errorLogger.Fatal(err)
 	}
diff --git a/config.example.yml b/config.example.yml
index 953e438..67c5a7a 100644
--- a/config.example.yml
+++ b/config.example.yml
@@ -6,6 +6,12 @@
 #   SERVER_STARTER:/path/to/socket
 listen: "0.0.0.0:9099"
 
+# enable TLS (optional)
+
+tls:
+  certfile: "/path/to/cert.crt"
+  keyfile: "/path/to/keyfile.key"
+
 # access_log (optional)
 access_log:
   format: "ltsv"
diff --git a/config/config.go b/config/config.go
index b299d30..991c2a8 100644
--- a/config/config.go
+++ b/config/config.go
@@ -14,12 +14,18 @@ const (
 
 type Config struct {
 	Listen          *string                   `yaml:"listen" validate:"required"`
+	TLSConfig       *TLSConfig                `yaml:"tls"`
 	ShutDownTimeout *time.Duration            `yaml:"shutdown_timeout"`
 	ExporterConfigs map[string]ExporterConfig `yaml:"exporters" validate:"required,dive"`
 	AccessLogConfig *AccessLogConfig          `yaml:"access_log"`
 	ErrorLogConfig  *ErrorLogConfig           `yaml:"error_log"`
 }
 
+type TLSConfig struct {
+	CertFile *string `yaml:"certfile" validate:"required"`
+	KeyFile  *string `yaml:"keyfile" validate:"required"`
+}
+
 type AccessLogConfig struct {
 	Format *string  `yaml:"format" validate:"required"`
 	Path   *string  `yaml:"path"`
diff --git a/server/server.go b/server/server.go
index 0c171f2..e49c2fc 100644
--- a/server/server.go
+++ b/server/server.go
@@ -8,12 +8,20 @@ import (
 	"os/signal"
 	"syscall"
 	"time"
+
+	"github.com/rrreeeyyy/exporter_proxy/config"
 )
 
-func ServeHTTPAndHandleSignal(listener net.Listener, server http.Server, timeout time.Duration) error {
-	go func() {
-		server.Serve(listener)
-	}()
+func ServeHTTPAndHandleSignal(listener net.Listener, server http.Server, timeout time.Duration, tlsconfig config.TLSConfig) error {
+	if &tlsconfig != nil {
+		go func() {
+			server.ServeTLS(listener, *tlsconfig.CertFile, *tlsconfig.KeyFile)
+		}()
+	} else {
+		go func() {
+			server.Serve(listener)
+		}()
+	}
 
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, syscall.SIGTERM)