Table of Contents
-
Introduction
-
Why HTTPS Matters for Dolibarr
-
Understanding SSL/TLS and HTTPS Basics
-
Pre-requisites for HTTPS Implementation
-
Choosing the Right SSL Certificate
-
Installing SSL on Common Web Servers
-
Apache
-
Nginx
-
-
Configuring Virtual Hosts for HTTPS
-
Forcing HTTPS in Dolibarr Configuration
-
Updating Dolibarr Base URL to HTTPS
-
Redirecting All Traffic to HTTPS
-
Handling Mixed Content Warnings
-
Verifying SSL Installation and Certificate Validity
-
HTTPS and Module Interoperability
-
Using Let’s Encrypt for Free SSL
-
Automatic Renewal and Cron Jobs for SSL
-
Testing and Validating Secure Access
-
Security Headers to Add After HTTPS Setup
-
HTTPS in Multicompany and Subdomain Configurations
-
Performance Considerations with HTTPS
-
Conclusion
1. Introduction
HTTPS is no longer optional—it's a necessity. When using Dolibarr ERP/CRM to manage sensitive business data, secure communication between users and the server is critical. This guide explains how to configure Dolibarr to use HTTPS securely and effectively.
2. Why HTTPS Matters for Dolibarr
Using HTTPS protects:
-
User login credentials
-
Financial and customer data
-
Uploaded documents and form submissions
Without HTTPS, these can be intercepted via man-in-the-middle (MITM) attacks.
HTTPS also improves SEO and user trust, and it's often required for features like OAuth authentication or secure APIs.
3. Understanding SSL/TLS and HTTPS Basics
-
SSL and TLS are cryptographic protocols that provide security.
-
HTTPS is HTTP layered over SSL/TLS.
-
Certificates validate domain ownership and encrypt traffic.
Dolibarr itself doesn’t handle encryption—it relies on the web server (Apache, Nginx, etc.).
4. Pre-requisites for HTTPS Implementation
-
A valid domain name (not just an IP address)
-
A publicly reachable server (or internal CA for intranet)
-
Administrative access to your web server
-
Dolibarr properly installed and functional on HTTP
5. Choosing the Right SSL Certificate
Options include:
-
Let’s Encrypt: Free, widely supported, auto-renewable
-
Commercial SSL: For longer validity and warranties
-
Wildcard SSL: Covers subdomains (useful in multicompany setups)
For most use cases, Let’s Encrypt is ideal and cost-effective.
6. Installing SSL on Common Web Servers
Apache Example (Ubuntu):
sudo apt update
sudo apt install certbot python3-certbot-apache
sudo certbot --apache
Nginx Example:
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx
Follow the prompts to generate and install the certificate.
7. Configuring Virtual Hosts for HTTPS
For Apache:
<VirtualHost *:443>
ServerName yourdomain.com
DocumentRoot /var/www/dolibarr/htdocs
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
</VirtualHost>
For Nginx:
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
root /var/www/dolibarr/htdocs;
}
8. Forcing HTTPS in Dolibarr Configuration
Edit htdocs/conf/conf.php
:
$dolibarr_main_force_https = 1;
This tells Dolibarr to redirect all HTTP requests to HTTPS automatically.
9. Updating Dolibarr Base URL to HTTPS
In Dolibarr:
-
Go to Setup > Other Setup
-
Update any URLs containing
http://
tohttps://
-
Especially relevant for document paths and external links
10. Redirecting All Traffic to HTTPS
Apache (via .htaccess):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Nginx:
server {
listen 80;
server_name yourdomain.com;
return 301 https://$host$request_uri;
}
11. Handling Mixed Content Warnings
Mixed content occurs when HTTPS pages load HTTP resources:
-
Update image, script, CSS links to
https://
-
Use relative paths where possible
-
Scan templates and custom modules for hardcoded URLs
Use browser dev tools (Console tab) to identify insecure elements.
12. Verifying SSL Installation and Certificate Validity
Tools:
-
Browser lock icon > Certificate > Details
Check for:
-
Expiration dates
-
Intermediate certificate chain
-
Correct domain and wildcard coverage
13. HTTPS and Module Interoperability
Some modules (e.g., OAuth, payment gateways, APIs) require HTTPS. Ensure:
-
Callback URLs use
https://
-
Token exchanges are secure
-
External integrations don’t fail silently due to protocol mismatch
14. Using Let’s Encrypt for Free SSL
Let’s Encrypt is ideal for small to medium businesses:
-
Automatic validation
-
No cost
-
Wide compatibility
Certbot handles domain verification and certificate deployment.
15. Automatic Renewal and Cron Jobs for SSL
Let’s Encrypt certs expire every 90 days. Set up renewal:
sudo crontab -e
0 2 * * * /usr/bin/certbot renew --quiet
Test renewal manually:
sudo certbot renew --dry-run
16. Testing and Validating Secure Access
Once configured:
-
Access Dolibarr using
https://yourdomain.com
-
Test login, file uploads, API calls
-
Verify that sessions don’t fall back to HTTP
17. Security Headers to Add After HTTPS Setup
Enhance HTTPS with:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "default-src 'self'"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
These headers protect against common web attacks.
18. HTTPS in Multicompany and Subdomain Configurations
Each subdomain must:
-
Have its own certificate (or wildcard)
-
Be configured in the web server
-
Be linked to its entity in Dolibarr
Ensure correct redirects and SSL coverage per domain.
19. Performance Considerations with HTTPS
Modern HTTPS is optimized:
-
Use HTTP/2 for faster multi-request delivery
-
Enable GZIP compression
-
Use caching headers for static assets
SSL overhead is minimal on modern servers.
20. Conclusion
Securing your Dolibarr ERP with HTTPS is essential to protect your data, comply with best practices, and enable secure integrations. From certificate installation to full HTTPS enforcement, following these steps will ensure your instance is safe, trusted, and reliable.