The previous wording ("silently routed to the fronting domain")
is inaccurate. In mtglib/proxy.go the blocklist path calls
conn.Close() immediately with no further handshake or fronting;
domain fronting only happens on FakeTLS failures for non-blocked
IPs. Reword to "TCP connection is closed with no response" so
users searching the docs get the same symptom they actually see.

The default [defense.blocklist] uses firehol_level1.netset, which
includes bogon networks and therefore all RFC1918 ranges. Clients
connecting from a LAN address (e.g. a phone on the home Wi-Fi when
mtg runs at home) are silently rejected with "ip was blacklisted"
and routed to the fronting domain. This is a recurring source of
confusion (see issue #466 for the latest example).

Add a warning next to the urls list in example.config.toml and a
Troubleshooting section in README.md covering the symptom, the
cause, and three resolution paths (disable blocklist, swap for a
narrower list, or use hairpin NAT).

Docs only, no code changes.

It seems that default DynamicUser limits are very low. We have to
increase them anyway.

added the missing slash mentioned in issue #287

AmbientCapabilities=CAP_NET_BIND_SERVICE

replace : with /

- remove MTG_STATSD_PORT, because it is not used in the code
- update MTG_STATSD_ADDR description to reflect all possible use cases

- little typo in docker command line 
- added more preferred 'secure only' example