diff --git a/apisix/plugins/wolf-rbac.lua b/apisix/plugins/wolf-rbac.lua
index 9d54d3758830..e276071863e7 100644
--- a/apisix/plugins/wolf-rbac.lua
+++ b/apisix/plugins/wolf-rbac.lua
@@ -241,7 +241,7 @@ end
 function _M.rewrite(conf, ctx)
     local url = ctx.var.uri
     local action = ctx.var.request_method
-    local client_ip = ctx.var.http_x_real_ip or core.request.get_ip(ctx)
+    local client_ip = core.request.get_remote_client_ip(ctx)
     local perm_item = {action = action, url = url, clientIP = client_ip}
     core.log.info("hit wolf-rbac rewrite")
 
@@ -422,7 +422,7 @@ local function get_wolf_token(ctx)
     if rbac_token == nil then
         local url = ctx.var.uri
         local action = ctx.var.request_method
-        local client_ip = core.request.get_ip(ctx)
+        local client_ip = core.request.get_remote_client_ip(ctx)
         local perm_item = {action = action, url = url, clientIP = client_ip}
         core.log.info("no permission to access ",
                       core.json.delay_encode(perm_item), ", need login!")
diff --git a/t/lib/server.lua b/t/lib/server.lua
index 97908e214e72..48ca158486c8 100644
--- a/t/lib/server.lua
+++ b/t/lib/server.lua
@@ -318,6 +318,7 @@ function _M.wolf_rbac_access_check()
 
     local args = ngx.req.get_uri_args()
     local resName = args.resName
+    ngx.log(ngx.WARN, "wolf_rbac_access_check clientIP: ", args.clientIP or "")
     if resName == '/hello' or resName == '/wolf/rbac/custom/headers' then
         ngx.say(json_encode({ok=true,
                             data={ userInfo={nickname="administrator",
diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t
index 86cf0bf45cfd..b7bf5f8998b0 100644
--- a/t/plugin/wolf-rbac.t
+++ b/t/plugin/wolf-rbac.t
@@ -860,3 +860,33 @@ ssl_verify: true
 qr/ssl_verify/
 --- no_error_log
 [error]
+
+
+
+=== TEST 41: clientIP forwarded from trusted X-Real-IP source
+--- http_config
+real_ip_header X-Real-IP;
+set_real_ip_from 127.0.0.1;
+--- request
+GET /hello
+--- more_headers
+Authorization: V1#wolf-rbac-app#wolf-rbac-token
+X-Real-IP: 192.0.2.10
+--- error_log
+wolf_rbac_access_check clientIP: 192.0.2.10
+
+
+
+=== TEST 42: spoofed X-Real-IP from untrusted source is ignored
+--- http_config
+real_ip_header X-Real-IP;
+set_real_ip_from 192.0.2.1;
+--- request
+GET /hello
+--- more_headers
+Authorization: V1#wolf-rbac-app#wolf-rbac-token
+X-Real-IP: 192.0.2.10
+--- error_log
+wolf_rbac_access_check clientIP: 127.0.0.1
+--- no_error_log
+wolf_rbac_access_check clientIP: 192.0.2.10