合并文件PEM格式

使用文本编辑器新建一个文本文件，请分别复制私钥，服务器证书、中级证书代码到这个文件，保存成为一个新文件，文件名如 haproxy.pem ，请注意合并证书代码的前后顺序，各段代码的先后顺序如下 :

私钥  ->  服务器证书  -> 中级证书

合并后的文件代码 haproxy.pem 例子如下 ：

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCsg6jnizhfp6wB
I4NEDzmxuO7WyGHGq5O6QImzvgOY0P2HPvDnhPjO9jK1LJRseNpitEFLZsy9o8T+
FhQvfFMH17sWpm/oGzU4tcq13EnYeYrH2kSP1akrpPX7FtoGA9MhqJSM4Vd94iyI
Pyj23aAdjRpIjB/OVAIdHYr2Hrq3Pmt9DssYOETOeRGKdNZXJ1eEHbcyOeXgbyhS
Zh8HqrQH4+OqSeif8lOUsJl04QNKe1AepoqwTgZXzFR1bAYg0kH+yFB4rGy1j8+c
3tyHBKyOVEikNzBRVAl+2R6ZAtV+IEgC5q0Zn4w7AVS3XTTI3TmpVjD99od0010f
ZKZhLu3OzEdi5MIaryHNhdBT
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGyjCCBbKgAwIBAgIQHBownU2zLLk3qx+TS3RGgDANBgkqhkiG9w0BAQsFADBH
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMX
R2VvVHJ1c3QgRVYgU1NMIENBIC0gRzQwHhcNMTcwNTAyMDAwMDAwWhcNMTgwMzIw
dDdMa+pn2Xz1m3HBDDbVJQoRE3mMWwt3cOXXCIDHZiyQFdQbawLYaGVKSkfum3vU
+AEOHFRmkV40V3gKfcZdAwvk6oDUHmPpN1YDSISjx0ExdJ15xmr48bcADsAYRkGe
4Ph7mafLwwPiiM6cWRbzxQF+8WDDpZPDEOftR5IZKXTvmVTIHSHbHuqwqJ4LX/vw
LYzbXyVnRVABDDszcK+WYncXK7EV9OeKn8tJlvnFahbQtW+F7x6VnQWE3Q73DW1o
+vNwV9nzfOV11G5zqsI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
R2VvVHJ1c3QgRVYgU1NMIENBIC0gRzQwHhcNMTcwNTAyMDAwMDAwWhcNMTgwMzIw
dDdMa+pn2Xz1m3HBDDbVJQoRE3mMWwt3cOXXCIDHZiyQFdQbawLYaGVKSkfum3vU
MIIGyjCCBbKgAwIBAgIQHBownU2zLLk3qx+TS3RGgDANBgkqhkiG9w0BAQsFADBH
4Ph7mafLwwPiiM6cWRbzxQF+8WDDpZPDEOftR5IZKXTvmVTIHSHbHuqwqJ4LX/vw
LYzbXyVnRVABDDszcK+WYncXK7EV9OeKn8tJlvnFahbQtW+F7x6VnQWE3Q73DW1o
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMX
+AEOHFRmkV40V3gKfcZd
-----END CERTIFICATE-----

在haproxy.cfg 配置SSL证书 

frontend  main-https 
http-response set-header  Strict-Transport-Security  max-age=31536000;\ includeSubdomains;\ preload
http-response set-header X-Frame-Options DENY
http-response set-header X-Content-Type-Options nosniff

bind *:443 ssl crt /etc/haproxy/haproxy.pem
default_backend             app

以上例子htps端口使用443，具体使用可根据需要改成其他端口，具体的配置可复制一份原来http端口使用的代码，在此代码基础上做相应的修改。其中 /etc/haproxy/haproxy.pem 是合并后的证书文件

安全设置

在global 区块加入如下代码

tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH