This is the general SSL settings template I use for my NGINX setups. I store this in /etc/nginx/conf.d and symlink it to conf.d/conf-enabled where it is read by my nginx.conf file and becomes active for all my sites.

mozModern_ssl.conf

#######
### Generated with assistance from the Mozilla SSL Configuration Generator
### 'modern' NGINX profile
### current as May 21 2018
#######


## SSL certificates are specified in the server block


## SSL parameters
ssl_session_timeout	1d;
ssl_session_cache	shared:SSL:50m;
ssl_session_tickets	off;

## SSL ciphers
ssl_protocols	TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers	on;

## Diffie-Hellman parameter for DHE ciphersuites, using 4096 bits
ssl_dhparam	/etc/ssl/certs/dhparam.pem;

## HSTS
add_header	Strict-Transport-Security max-age=15768000;

## OCSP Stapling
# Fetch OCSP records from URL in ssl_certificate and cache them.
# If certificate does not use OCSP responder, stapling can be "off".
# Self-signed certs/testing certs do not usually use an OCSP responder.
ssl_stapling			off;
ssl_stapling_verify		on;
ssl_trusted_certificate	/etc/ssl/certs/your-intermediate-and-root-chain.crt;

# resolver should be specified in nginx.conf if different from system resolver

My basic nginx.conf file that references this file for all SSL parameters is here