added documentation for the new tcp.proxy module

README.md

@@ -64,13 +64,15 @@ some of which have modules:
   - [proxy (reverse proxy)](#tlsproxy)
   - [acme](#tlsacme)
 * [tcp](#tcp)
+  - [proxy](#tcpproxy)
   - [forward](#tcpforward)
 * [udp](#udp)
   - [forward](#udpforward)
 * [domains](#domains)
 * [tunnel_server](#tunnel_server)
+* [DDNS](#ddns)
 * [tunnel_client](#tunnel)
-* [mdns](#mdns)
+* [mDNS](#mdns)
 * [socks5](#socks5)
 * api
 
@@ -294,6 +296,37 @@ tcp:
       address: '127.0.0.1:2222'
 ```
 
+### tcp.proxy
+
+The proxy module routes traffic based on the servername contained in a SNI header.
+As such this only works to route TCP connections wrapped in a TLS stream.
+
+It has the same options as the [HTTP proxy module](#httpproxy-how-to-reverse-proxy-ruby-python-etc).
+
+Example config:
+```yml
+tcp:
+  modules:
+    - type: proxy
+      domains:
+        - ssh.example.com
+      port: 22
+```
+
+In order to use this to route SSH connections you will need to use `ssh`'s
+`ProxyCommand` option. For example to ssh into `ssh.example.com` you could use
+the following command.
+
+```bash
+ssh user@ssh.example.com -o ProxyCommand='openssl s_client -quiet -connect ssh.example.com:443 -servername ssh.example.com'
+```
+
+Alternatively you could add the following lines to your ssh config file.
+```
+Host ssh.example.com
+  ProxyCommand openssl s_client -quiet -connect ssh.example.com:443 -servername ssh.example.com
+```
+
 ### tcp.forward
 
 The forward module routes traffic based on port number **without decrypting** it.
@@ -366,27 +399,45 @@ udp:
 To reduce repetition defining multiple modules that operate on the same domain
 name the `domains` field can define multiple modules of multiple types for a
 single list of names. The modules defined this way do not need to have their
-own `domains` field.
+own `domains` field. Note that the [tcp.forward](#tcpforward) module is not
+allowed in a domains group since its routing is not based on domains.
 
 Example Config
 
 ```yml
 domains:
-  names:
-    - example.com
-    - www.example.com
-    - api.example.com
-  modules:
-    tls:
-      - type: acme
-        email: joe.schmoe@example.com
-        challenge_type: 'http-01'
-    http:
-      - type: redirect
-        from: /deprecated/path
-        to: /new/path
-      - type: proxy
-        port: 3000
+  - names:
+      - example.com
+      - www.example.com
+      - api.example.com
+    modules:
+      tls:
+        - type: acme
+          email: joe.schmoe@example.com
+          challenge_type: 'http-01'
+      http:
+        - type: redirect
+          from: /deprecated/path
+          to: /new/path
+        - type: proxy
+          port: 3000
+      dns:
+        - type: 'dns@oauth3.org'
+          token_id: user_token_id
+
+  - names:
+      - ssh.example.com
+    modules:
+      tls:
+        - type: acme
+          email: john.smith@example.com
+          challenge_type: 'http-01'
+      tcp:
+        - type: proxy
+          port: 22
+      dns:
+        - type: 'dns@oauth3.org'
+          token_id: user_token_id
 ```