Hmm… The nginx config seems very weird to me. The first cipher is ECDHE-RSA-AES256-GCM-SHA512 which doesn’t even exist according to IANA. They recommend TLS 1.3 but it’s still draft and not well supported by browsers yet. And no chacha20-poly1305?
CHACHA20-POLY1305 and X25519 require OpenSSL 1.1 which I don’t actually have (I’m using CentOS 7), but I’m keeping them in my config files for the future.
the -ECDSA- suites require an ECDSA certificate. Let’s Encrypt supports them, but Certbot doesn’t (you can get one with a custom CSR, but renewing doesn’t work). Besides, the future seems to be EdDSA certificates. So I suggest skipping them unless you like to try things just because they’re there (I know I do).
DHE seems to be useless. All clients that support it also support ECDHE. With two exceptions: Android 2.3 and Java 6. And enabling it for Android 2.3 with >=2048 bits breaks Java 6… so if you really need Android 2.3 and Java 6, enable AES128-SHA:AES256-SHA without Forward Secrecy.
Just for fun: The ridiculous 100% config (useless in real life since many clients don’t support it, including Android 6.0):