You can install ufw and a frontend for it that lets you block specific processes. https://wiki.archlinux.org/title/Uncomplicated_Firewall#GUI_frontends It seems KDE already comes with a frontend in the system settings, and there's gufw for gnome/gtk.

I recently bought an x86 passive cooled box from Topton, an aliexpress merchant, that was recommended by ServeTheHome, a great youtube channel/blog that reviews all kinds of networking equipment for homelabs. Since it's x86, you can pretty much install anything on it, in my case OPNSense. I recommend you watch some of their videos/read their blogs and see what fits!

I read you mentioned firefox. I had a similar experience a while ago, related to this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1704774#c13

The nginx documentation for the ssl preread module has an almost identical example.

I am running a similar setup to yours. The issue is that only one server block can listen to an address+port pair. You ought to do something like this:

map $ssl_preread_server_name $proxy_backend_router {
        serviceA.example.com    upstreamA:12346;
        serviceB.example.com    upstreamB:12346;
        default $ssl_preread_server_name.invalid_proxy:443;
}


server {
        listen 443;
        ssl_preread on;
        proxy_pass $proxy_backend_router;
}

What you should be asking is whether the cables qre the bottleneck in your network or not.

Is there any link that is not negotiating 1Gbps? Do you have devices that could push 10Gbps but the cable is not allowing it? If not, then there's no need to upgrade them.

Unless, of course, if you want to do it just for fun, which is also a legitimate reason 😄