How to Secure Dolibarr Access with HTTPS: A Complete Guide

Table of Contents

1. Introduction

2. Why HTTPS Matters for Dolibarr

3. What You Need to Enable HTTPS

4. Choosing Between Self-Hosting and Hosted Environments

5. Obtaining an SSL Certificate (Free and Paid Options)

6. Setting Up HTTPS on Apache

7. Setting Up HTTPS on Nginx

8. Using Let's Encrypt with Certbot

9. Configuring Virtual Hosts for Dolibarr

10. Redirecting HTTP to HTTPS

11. Updating Dolibarr Configuration for HTTPS

12. Testing and Verifying SSL Installation

13. Securing Cookies and Session Data

14. Enforcing HTTPS in the Dolibarr Interface

15. Handling Mixed Content Warnings

16. HTTPS and Dolibarr API Security

17. Using HTTPS with Mobile or External Access

18. Backup and Disaster Recovery with Encrypted Channels

19. Common Errors and How to Fix Them

20. Conclusion: Keeping Dolibarr Safe in 2025 and Beyond

1. Introduction

Dolibarr is a powerful ERP/CRM solution used by freelancers, small businesses, and organizations around the world. As more companies move toward digital platforms, data protection has become a core concern. One of the first and most crucial steps in securing your Dolibarr installation is enabling HTTPS access.

This guide provides a comprehensive walkthrough on securing Dolibarr with HTTPS. Whether you're self-hosting or using a cloud provider, we’ll explain the tools, configuration steps, and best practices you need to follow.

2. Why HTTPS Matters for Dolibarr

HTTPS encrypts the data transmitted between the user and the server. Without HTTPS:

• Passwords and session tokens can be intercepted

• Client data can be exposed in transit

• Browsers will flag your application as insecure

In Dolibarr, HTTPS helps protect:

• User logins

• Financial data

• Client records and communications

3. What You Need to Enable HTTPS

To use HTTPS with Dolibarr, you’ll need:

• A web server (Apache or Nginx)

• A domain name pointing to your Dolibarr server

• An SSL certificate (from Let's Encrypt or a paid provider)

• Shell access (root or sudo) to configure the server

If you're using a hosting provider, check whether SSL setup is part of the control panel.

4. Choosing Between Self-Hosting and Hosted Environments

With self-hosting, you control the web server configuration and SSL setup. This provides flexibility but requires technical skills.

With SaaS or shared hosting, your provider may offer one-click HTTPS setup. However, you may have limited control over advanced security features.

5. Obtaining an SSL Certificate (Free and Paid Options)

You can obtain an SSL certificate from:

• Let's Encrypt (free, 90-day renewals, widely supported)

• Commercial CAs like Comodo, Sectigo, DigiCert (offers warranties and extended validation)

For most Dolibarr use cases, Let's Encrypt is sufficient.

6. Setting Up HTTPS on Apache

For Apache:

1. Install SSL module: sudo a2enmod ssl

2. Create or modify the virtual host:

<VirtualHost *:443>
    ServerName dolibarr.yourdomain.com
    DocumentRoot /var/www/dolibarr/htdocs
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/dolibarr.yourdomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/dolibarr.yourdomain.com/privkey.pem
</VirtualHost>

3. Restart Apache: sudo systemctl restart apache2

7. Setting Up HTTPS on Nginx

For Nginx:

server {
    listen 443 ssl;
    server_name dolibarr.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/dolibarr.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dolibarr.yourdomain.com/privkey.pem;

    root /var/www/dolibarr/htdocs;
    index index.php;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }
}

Restart Nginx with sudo systemctl restart nginx.

8. Using Let's Encrypt with Certbot

Certbot automates the certificate issuance and renewal process:

sudo apt install certbot python3-certbot-apache
sudo certbot --apache -d dolibarr.yourdomain.com

For Nginx, use:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d dolibarr.yourdomain.com

Certbot will handle renewal automatically via cron.

9. Configuring Virtual Hosts for Dolibarr

Ensure that your virtual host correctly points to Dolibarr’s /htdocs/ directory. Also check:

• PHP is enabled for .php files

• File permissions are correct

• Index file priority includes index.php

10. Redirecting HTTP to HTTPS

To avoid confusion and security risks, redirect all HTTP traffic to HTTPS.

In Apache:

<VirtualHost *:80>
    ServerName dolibarr.yourdomain.com
    Redirect permanent / https://dolibarr.yourdomain.com/
</VirtualHost>

In Nginx:

server {
    listen 80;
    server_name dolibarr.yourdomain.com;
    return 301 https://$host$request_uri;
}

11. Updating Dolibarr Configuration for HTTPS

After enabling HTTPS, log in to Dolibarr and go to: Home > Setup > Other Setup

Update the value of MAIN_APPLICATION_URL to:

https://dolibarr.yourdomain.com

This ensures all links and API calls use HTTPS.

12. Testing and Verifying SSL Installation

Use these tools:

• SSL Labs Test: https://www.ssllabs.com/ssltest/

• curl: curl -I https://dolibarr.yourdomain.com

• Browser lock icon: Verify certificate validity

Ensure your certificate is trusted, not expired, and uses strong encryption.

13. Securing Cookies and Session Data

Edit your PHP config or .htaccess to add:

session.cookie_secure = 1
session.cookie_httponly = 1

This prevents session hijacking and ensures cookies are transmitted only over HTTPS.

14. Enforcing HTTPS in the Dolibarr Interface

Dolibarr includes constants like:

define('FORCE_SSL', 1);

Add this to conf/conf.php to force SSL for all internal links.

15. Handling Mixed Content Warnings

If you include non-secure (HTTP) assets in Dolibarr:

• CSS, JS, image links may trigger warnings

• Use relative or HTTPS-based URLs

Scan and replace hardcoded HTTP links in custom modules or templates.

16. HTTPS and Dolibarr API Security

When using the REST API:

• Ensure all calls go to https://

• Use tokens, not plain passwords

• Validate SSL certs in client apps

HTTPS is essential when handling customer or financial data via API.

17. Using HTTPS with Mobile or External Access

If staff or clients access Dolibarr remotely:

• Use a valid SSL certificate (not self-signed)

• Avoid public Wi-Fi without a VPN

• Limit admin access with IP whitelisting or MFA

HTTPS helps protect external users and data on the move.

18. Backup and Disaster Recovery with Encrypted Channels

When backing up Dolibarr:

• Use SCP, SFTP, or rsync over SSH

• Encrypt backups before transferring

• Store backups in secure, HTTPS-accessible storage if cloud-based

Avoid FTP or unencrypted HTTP for any transfer involving Dolibarr.

19. Common Errors and How to Fix Them

20. Conclusion: Keeping Dolibarr Safe in 2025 and Beyond

Enabling HTTPS for Dolibarr is not just a recommendation—it’s a must. It ensures data security, user trust, and compliance with modern privacy standards. Whether you're self-hosting or relying on a provider, setting up HTTPS should be part of your initial Dolibarr deployment plan.

With a secure setup, your Dolibarr instance becomes a robust, professional platform ready for growth and safe client engagement.