add support for unprivileged podman container

README.md

 
 ### Prepare a configuration file
 
-Please checkout an example configuration file. All options except of
-`secret` and `bind-to` are optional. You can safely have this minimal
-configuration file:
+mtg is configured via a [TOML](https://toml.io/en/) file. The full
+reference is [`example.config.toml`](./example.config.toml) in this
+repository — every option is listed there with its default value and
+an inline comment explaining what it does. Treat that file as the
+configuration documentation.
+
+All options except `secret` and `bind-to` are optional, so the minimal
+working configuration is:
 
 ```toml
 secret = "ee473ce5d4958eb5f968c87680a23854a0676f6f676c652e636f6d"
 This is enough to run the whole application. All other
 options already have sensible defaults for the app at almost any scale.
 
-Oh, the configuration is done in [TOML format](https://toml.io/en/).
-
 ### Run a proxy
 
 Put a binary and a config into your webserver. Just for example,
 
 ## Doppelganger
 
-mtg can mimic real websites, please take a look at relevant section in example
-config file.
+mtg can mimic real websites — see the `[defense.doppelganger]` section
+in [`example.config.toml`](./example.config.toml).
 
 mtg comes with some very good precollected statistics coming from
 [ok.ru](https://ok.ru/). It does not mean that you have to cover yourself
 
 Out of the box, mtg works with
 [statsd](https://github.com/statsd/statsd) and
-[Prometheus](https://prometheus.io/). Please check configuration file
-example to get how to set this integration up.
+[Prometheus](https://prometheus.io/). See the `[stats.statsd]` and
+`[stats.prometheus]` sections in
+[`example.config.toml`](./example.config.toml) for setup.
 
 Here goes a list of metrics with their types but without a prefix.
 

contrib/sni-router/docker-compose.yml

       - "443:443"
       - "80:80"
     volumes:
-      - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+      - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro,Z
     depends_on:
       - mtg
       - web
     restart: unless-stopped
+    sysctls:
+      - net.ipv4.ip_unprivileged_port_start=80
 
   mtg:
     image: nineseconds/mtg:2
     volumes:
-      - ./mtg-config.toml:/config/config.toml:ro
+      - ./mtg-config.toml:/config/config.toml:ro,Z
     expose:
       - "3128"
     restart: unless-stopped
+    extra_hosts:
+      - "host.containers.internal:host-gateway"
 
   web:
     image: caddy:alpine
     volumes:
-      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro,Z
       - caddy_data:/data
-      - ./www:/srv:ro
+      - ./www:/srv:ro,Z
     expose:
       - "80"
       - "8443"

internal/cli/doctor.go

 type Doctor struct {
 	conf *config.Config
 
-	ConfigPath string `kong:"arg,required,type='existingfile',help='Path to the configuration file.',name='config-path'"` //nolint: lll
+	ConfigPath      string `kong:"arg,required,type='existingfile',help='Path to the configuration file.',name='config-path'"` //nolint: lll
+	SkipNativeCheck bool   `kong:"help='Skip the native network connectivity check (useful when proxy chaining is configured and direct egress is not expected to work).',name='skip-native-check'"` //nolint: lll
 }
 
 func (d *Doctor) Run(cli *CLI, version string) error {
 	)
 
 	fmt.Println("Validate native network connectivity")
-	everythingOK = d.checkNetwork(base) && everythingOK
+	if d.SkipNativeCheck {
+		fmt.Println("  ⏭ Skipped (--skip-native-check)")
+	} else {
+		everythingOK = d.checkNetwork(base) && everythingOK
+	}
 
 	for _, url := range conf.Network.Proxies {
 		value, err := network.NewProxyNetwork(base, url.Get(nil))