The TOML configuration file is documented in example.config.toml -
every option is listed with its default value and an inline comment.
But the README never links to it directly: it just says "please
checkout an example configuration file" / "please check configuration
file example", which is easy to skim past when looking for a config
reference.

This patch:
- makes example.config.toml an explicit link in the "Prepare a
  configuration file" section and calls it out as the configuration
  documentation;
- adds the same link to the Doppelganger and Metrics sections, which
  also point readers at the example file.

No content/option changes - README only.

The previous wording ("silently routed to the fronting domain")
is inaccurate. In mtglib/proxy.go the blocklist path calls
conn.Close() immediately with no further handshake or fronting;
domain fronting only happens on FakeTLS failures for non-blocked
IPs. Reword to "TCP connection is closed with no response" so
users searching the docs get the same symptom they actually see.

The default [defense.blocklist] uses firehol_level1.netset, which
includes bogon networks and therefore all RFC1918 ranges. Clients
connecting from a LAN address (e.g. a phone on the home Wi-Fi when
mtg runs at home) are silently rejected with "ip was blacklisted"
and routed to the fronting domain. This is a recurring source of
confusion (see issue #466 for the latest example).

Add a warning next to the urls list in example.config.toml and a
Troubleshooting section in README.md covering the symptom, the
cause, and three resolution paths (disable blocklist, swap for a
narrower list, or use hairpin NAT).

Docs only, no code changes.

It seems that default DynamicUser limits are very low. We have to
increase them anyway.

added the missing slash mentioned in issue #287

AmbientCapabilities=CAP_NET_BIND_SERVICE

replace : with /

- remove MTG_STATSD_PORT, because it is not used in the code
- update MTG_STATSD_ADDR description to reflect all possible use cases