breaking change: do not trust x-forwarded-* headers by default

docs/user-guide/nginx-configuration/configmap.md

@@ -106,7 +106,7 @@ The following table shows a configuration option's name, type, and the default v
 |[proxy-stream-timeout](#proxy-stream-timeout)|string|"600s"|
 |[proxy-stream-responses](#proxy-stream-responses)|int|1|
 |[bind-address](#bind-address)|[]string|""|
-|[use-forwarded-headers](#use-forwarded-headers)|bool|"true"|
+|[use-forwarded-headers](#use-forwarded-headers)|bool|"false"|
 |[forwarded-for-header](#forwarded-for-header)|string|"X-Forwarded-For"|
 |[compute-full-forwarded-for](#compute-full-forwarded-for)|bool|"false"|
 |[proxy-add-original-uri-header](#proxy-add-original-uri-header)|bool|"true"|

internal/ingress/controller/config/config.go

@@ -588,7 +588,7 @@ func NewDefault() Configuration {
 		EnableDynamicTLSRecords:    true,
 		EnableUnderscoresInHeaders: false,
 		ErrorLogLevel:              errorLevel,
-		UseForwardedHeaders:        true,
+		UseForwardedHeaders:        false,
 		ForwardedForHeader:         "X-Forwarded-For",
 		ComputeFullForwardedFor:    false,
 		ProxyAddOriginalURIHeader:  true,

test/e2e/settings/geoip2.go

@@ -45,6 +45,7 @@ var _ = framework.IngressNginxDescribe("Geoip2", func() {
   AU 0;
 }`
 		f.UpdateNginxConfigMapData("http-snippet", httpSnippetAllowingOnlyAustralia)
+		f.UpdateNginxConfigMapData("use-forwarded-headers", "true")
 
 		f.WaitForNginxConfiguration(
 			func(cfg string) bool {