As one of the largest e-commerce companies in China, JD.com manages hundreds of thousands of employee email accounts with an email system powered by Microsoft Exchange on-premises servers. To mitigate increasingly frequent account security threats such as credential stuffing and brute force, we planned to activate Multi-Factor Authentication (MFA) during account login.
After researching community and commercial solutions, we found HAProxy is the only option that matched all of our requirements: proxy, protocol support, customizable. So finally we built the system and have run it on production steadily for one year.
Our HAProxy cluster is deployed in front of our Exchange servers. When a user visits, the connection is paused in Lua to check whether the account with the device is authorized by asking an external MFA service. If the visit comes from an unknown environment, the service will notify the user to confirm and authorize via trusted device or text message.
The key role of HAProxy are protocol proxy, account environment parsing, MFA service communication, and client control. We will share challenges and our solution.
I am a Security Engineer at JD.com, for better account security.