After a month with https turned off, I opened it to check if I was still getting hammered. Yep. It's over half my traffic, about 500 requests per second. Poor old single-threaded natd on my old hardware just can't keep up.
Then I had a thought: when if I moved my blocklist firewall rules to before the natd divert rule, instead of after? Would that take the load off natd and let me re-open https?
Yes. Easy peasy lemon squeezy. Wish I'd thought of this two months ago.
I'll have to keep updating my blocklists when the scraper bots change IP addresses or new ones show up. Otherwise I think I'm good for now.