Torbjorn Zetterlund

Fri 26 2017

Scaling your RESTful API in CodeIgniter 3.X

by bernt & torsten

I recently wrote about How To Work With RESTful Services In CodeIgniter 3.X – today’s topic is how you extend the CodeIgniter REST server to give your APIs better availability and reliability.

If you’re already experienced sudden increases in API traffic that affects the quality of your service, then you want to read on as I will give some tips on how you can manage your API’s usage.

Increased API traffic

If you have experienced increased traffic, you may have already added more capacity to your infrastructure to accommodate increased API usage. What you also need to factor in, is how robust your APIs are and if the APIs are built for scale and ensure that one bad API user can’t accidentally or deliberately affect your service availability.

If you have experienced any of these scenarios:

  • One of your users is responsible for a spike in traffic, and you want to block or control users’ API usage.
  • One of your users has a misbehaving script which is accidentally sending you a lot of requests. Or, even worse, one of your users is intentionally trying to overwhelm your servers.
  • A user is sending you a lot of lower-priority requests, and you want to make sure that it doesn’t affect your high-priority traffic. For example, users sending a high volume of requests for analytics data could affect critical transactions for other users. This all depends on what type of PIs you are providing.
  • Something in your system has gone wrong internally, and as a result, you can’t serve all of your regular traffic and need to drop low-priority requests.

You can restrict the usage of your APIs, by adding an API strategy based around any of these methods:

  • Authentication
  • Logging
  • Blacklisting
  • Whitelisting
  • Rate Limiting

If you have downloaded Yggdrasil from Github, in the folder app->config you will find rest.php, in rest.php you find all the config values to restrict and manage the CodeIgniter REST server that is included in the Yggdrasil repository, I will now go into in more details, regarding how you can restrict usage to your API’s and how that is configured in Yggdrasil.


To get better control of your API users you should setup Authentication, often service just gives you an API to use, if you API authentication on, there are several ways you can configure authentication.

The first step would be to enable authentication, by setting

$config['rest_auth'] = ‘basic’;

You have other options ” = no login required, ‘basic’ = un-secure login, ‘digest’ = more secure login

When you have enabled authentication, you would need to decide what type of authorization is required, by entering a value in

$config['auth_source'] = '';

The options are ” = use config based users, ‘ldap’ = use LDAP authentication

You can also override auth types for specific class/method, in your modules, this allows you to set specific authentication types for methods within a class (controller)

// $config['auth_override_class_method']['deals']['view'] = 'none';

// $config['auth_override_class_method']['deals']['insert'] = 'digest';

// $config['auth_override_class_method']['accounts']['user'] = 'basic';

Here ‘deals’ and ‘accounts’ are controller names, ‘view’, ‘insert’ and ‘user’ are methods within. (NOTE: leave off the ‘_get’ or ‘_post’ from the end of the method name)

Acceptable values are; ‘none’, ‘digest’ and ‘basic’.

If you have basic authentication setup with auth source empty, you can add the login usernames in

$config['rest_valid_logins'] = array('admin' => '1234');

You can add an array of usernames and passwords for login if LDAP is configured this is ignored


Running a service with API access, you need to watch what is going on with your APIs, with the CodeIgniter REST server which is included in the Github repo of Yggdrasil. You have the option to enable API logging:

$config['rest_enable_logging'] = TRUE;

When set to true REST_Controller will log actions based on API key, date, time and IP address.


You can view the API log to see who is an abuser of your API when you find the offender you should add them to the blacklist.

You can enable the blacklist by setting

$config['rest_ip_blacklist_enabled'] = false;

too true and add any IP address to “rest_ip_blacklist” option

Next, you would look at the offending API user in the API log, and take the IP address and add it to the rest_ip_blacklist in the rest.php.

$config['rest_ip_blacklist'] = '123.456.789.0, 987.654.32.1';

Adding the IP addresses will block these IP addresses from accessing the API.


Instead of blacklisting API users, you could do the opposite to whitelist API users as to your preference.

You would need to enable the Global IP Whitelisting, which will limit connections to your REST server to whitelisted IP addresses.

$config['rest_ip_whitelist_enabled'] = false;

You have some options that you can consider:

  • Set to true *and* select an auth option for extreme security (client’s IP address must be in the whitelist and they must also log in)
  • Set to true with auth set to false to allow whitelisted IPs access with no login.
  • Set to false here but set ‘auth_override_class_method’ to ‘whitelist’ to restrict certain methods to IPs in your whitelist

You can add all your IP that should be whitelisted in the

$config['rest_ip_whitelist'] = '123.456.789.0, 987.654.32.1'; and are allowed by default.

Rate Limiting

You can enable Rest API limits, by enabling

$config['rest_enable_limits'] = FALSE;

When set to true REST_Controller will count the number of uses of each method by an API key each hour.

A rate limiter is used to control the rate of traffic sent or received on the network. When should you use a rate limiter?

If your users can afford to change the pace at which they hit your API endpoints without affecting the outcome of their requests, then a rate limiter is appropriate.

If spacing out their requests is not an option (typically for real-time events), then you’ll need another strategy outside the scope of this post (most of the time you just need more infrastructure capacity).


If you carefully implementing a few of the suggestions mention in this article and you create a strategy around your APIs, it will help keep your APIs available for everyone, you could even monetize your APIs.

Of the methods mention rate limiting is one of the most powerful ways to prepare your API for scale. And don’t forget to try it out with Yggdrasil Codeigniter 3.0 repo

I’m here to help, you can reach out to me by commenting below.