How to Harden Nginx with Let's Encrypt SSL Certificate and get A+ Score from Qualys Lab ?

I have written those article previously for CentOS Web Panel for both Nginx + Varnish + Apache + PHP-FPM & Apache server only.
Source Details:
1. Install Letsencrypt SSL Certificate for your Server Hostname/FQDN, 100% Working
2. Install Let'sEncrypt for Admin Panel & User Panel Again, 100% Working
My Certificate Score after SSL hardening:

There are some changes needed for both article that i mentioned above. I will do it later for CentOS Web Panel. Now I have started to like VestaCP which is very lightweight control panel and It has many templates based on nginx for many CMS. I am using Nginx+PHP-FPM on Ubuntu 16.04 L.T.S . I have added 4096 bits Let's Encrypt SSL for VestaCP Admin Panel which is working perfectly and no warning getting from any browser.
Article : How to Configure 4096 bits Let's Encrypt SSL for VestaCP Control (Admin) Panel?

Using a SSL certificate that doesn't mean you are secure. You have to harden(secure) your SSL configuration. My default SSL rating is B.

N.B: I am using the below cipherlist . You can use cipherli.st either mozilla SSL Configuration Generator .

Resource Link:
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS
mozilla SSL Configuration Generator https://ssl-config.mozilla.org/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://ssldecoder.org/

Before Proceed , Check your nginx and openssl version:

Before doing any changes, Take backup first your nginx configuration file

# cd /etc/nginx/
# cp -a nginx.conf nginx.conf-bak

Generate 4096 bits DH_Param

# openssl dhparam -out /etc/nginx/dhparam.pem 4096

Add the below code to your Nginx Configuration file:

# vi /etc/nginx/nginx.conf

# SSL Settings
#ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers   on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

ssl_session_timeout 10m;
ssl_session_cache   shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
  
# OCSP stapling
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
  
port_in_redirect off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Check Nginx Syntax. If everything is okay, restart your Nginx server.

# nginx -t
# systemctl restart nginx

Visit SSL Labs to check your SSL Score: https://www.ssllabs.com/ssltest/index.html.

What you see? My SSL score is A not A+ !

Just add the below code after # Mime Settings, The entire code will looks like:

# Mime settings
include             /etc/nginx/mime.types;
default_type        application/octet-stream;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options "SAMEORIGIN"  always;
add_header X-Content-Type-Options "nosniff"  always;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors https://mail.datahead.biz/;";
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Feature-Policy "accelerometer 'none'; ";

Now Again Check with : https://www.ssllabs.com/ssltest/analyze.html?d=mail.datahead.biz

If you want to learn more , Just compare :
https://ssl-config.mozilla.org/
https://cipherli.st/