nginx settings for a 100% A+ result on qualys ssllabs ssl test, also full compatibility with handshake simulations - it requires a 4096 dhparam file and 4096 rsa keys size ("--rsa-key-size 4096" parameter with certbot, can be used with the renew mode)

100percent_nginx.conf

server {
	listen 443 ssl http2;
	server_name mak.wtf;

	ssl_protocols TLSv1.2;

	ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA";
	ssl_ecdh_curve secp384r1;

	ssl_session_cache shared:le_nginx_SSL:1m;
	ssl_buffer_size 8k;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:TLS:2m;
	ssl_session_timeout 10m;
	ssl_session_tickets off;

	ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;
	ssl_certificate /etc/letsencrypt/live/mak.wtf/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/mak.wtf/privkey.pem;

	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 valid=300s;
	resolver_timeout 5s;

	add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	location ~ /.well-known/ {
		root /var/www/letsencrypt;
	}

	error_page   500 502 503 504  /50x.html;
	location = /50x.html {
		root   /usr/share/nginx/html;
	}

	location ~ /\.ht {
		deny  all;
	}

	root /var/www/mak.wtf;
}