cmd/tailscale,ipn: add Unix socket support for serve

Based on PR #16700 by @lox, adapted to current codebase.

Adds support for proxying HTTP requests to Unix domain sockets via
tailscale serve unix:/path/to/socket, enabling exposure of services
like Docker, containerd, PHP-FPM over Tailscale without TCP bridging.

The implementation includes reasonable protections against exposure of
tailscaled's own socket.

Adaptations from original PR:
- Use net.Dialer.DialContext instead of net.Dial for context propagation
- Use http.Transport with Protocols API (current h2c approach, not http2.Transport)
- Resolve conflicts with hasScheme variable in ExpandProxyTargetValue

Updates #9771

Signed-off-by: Peter A. <ink.splatters@pm.me>
Co-authored-by: Lachlan Donald <lachlan@ljd.cc>

ipn/serve_expand_test.go

@@ -0,0 +1,82 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package ipn
+
+import (
+	"runtime"
+	"testing"
+)
+
+func TestExpandProxyTargetValueUnix(t *testing.T) {
+	tests := []struct {
+		name             string
+		target           string
+		supportedSchemes []string
+		defaultScheme    string
+		want             string
+		wantErr          bool
+		skipOnWindows    bool
+	}{
+		{
+			name:             "unix-socket-absolute-path",
+			target:           "unix:/tmp/myservice.sock",
+			supportedSchemes: []string{"http", "https", "unix"},
+			defaultScheme:    "http",
+			want:             "unix:/tmp/myservice.sock",
+			skipOnWindows:    true,
+		},
+		{
+			name:             "unix-socket-var-run",
+			target:           "unix:/var/run/docker.sock",
+			supportedSchemes: []string{"http", "https", "unix"},
+			defaultScheme:    "http",
+			want:             "unix:/var/run/docker.sock",
+			skipOnWindows:    true,
+		},
+		{
+			name:             "unix-socket-relative-path",
+			target:           "unix:./myservice.sock",
+			supportedSchemes: []string{"http", "https", "unix"},
+			defaultScheme:    "http",
+			want:             "unix:./myservice.sock",
+			skipOnWindows:    true,
+		},
+		{
+			name:             "unix-socket-empty-path",
+			target:           "unix:",
+			supportedSchemes: []string{"http", "https", "unix"},
+			defaultScheme:    "http",
+			wantErr:          true,
+		},
+		{
+			name:             "unix-socket-not-in-supported-schemes",
+			target:           "unix:/tmp/myservice.sock",
+			supportedSchemes: []string{"http", "https"},
+			defaultScheme:    "http",
+			wantErr:          true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.skipOnWindows && runtime.GOOS == "windows" {
+				t.Skip("skipping unix socket test on Windows")
+			}
+
+			// On Windows, unix sockets should always error
+			if runtime.GOOS == "windows" && !tt.wantErr {
+				tt.wantErr = true
+			}
+
+			got, err := ExpandProxyTargetValue(tt.target, tt.supportedSchemes, tt.defaultScheme)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ExpandProxyTargetValue() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !tt.wantErr && got != tt.want {
+				t.Errorf("ExpandProxyTargetValue() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}