Lab 4: trace, outside-in debug, and TLS handshake decode

[rikire]

Goal

Trace one POST /notes end-to-end, debug a broken deploy outside-in, and decode a TLS handshake in front of QuickNotes.

Changes

• Task 1: annotated lo packet capture (3-way handshake → POST /notes + JSON → 201 Created → FIN close), five debug commands (ss/ip route/mtr/dig/journalctl), and a 502-debugging reflection.
• Task 2: reproduced bind: address already in use (two instances on :8080), full outside-in chain (process → listening → reachable → firewall → DNS) with a decision at each step, root cause, and a blameless mini-postmortem (≤200 words).
• Bonus: Go TLS-terminating reverse proxy (:8443 → :8080) + self-signed cert; TLS 1.3 handshake decoded via tshark/openssl (ClientHello/ServerHello/cipher), certificate chain, and why supported_versions kills TLS 1.0/1.1 in 2026.
• Artifacts: lab4-trace.txt, lab4-curl.txt, lab4-commands.txt, lab4-task2.txt, lab4-tls-*.txt, helper scripts.

Testing

• Capture verified to contain handshake, HTTP request/response, and close.
• Broken instance reproduced and repaired (/health returns {"status":"ok"}); chain re-verified.
• TLS endpoint negotiated TLSv1.3 / TLS_AES_128_GCM_SHA256; cert chain confirmed via openssl s_client.

Checklist

• Title is a clear sentence (≤ 70 chars)
• Commits are signed (git log --show-signature)
• submissions/lab4.md updated