Thanks for sharing your config, its always cool to see how others have set up their servers. Looking at what you did and what I do I made a few notes.
You may want to disablle TLSv1.1 and just have "ssl_protocols TLSv1 TLSv1.2;"
My cipher line is "ssl_ciphers ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128;" I'm not saying that is the best just providing it for comparison. There are sites that you can test your SSL setup against for compatibility and vulnerability. https://www.ssllabs.com/ssltest/ is one.
I was not sure about the "index index.php index.html index.htm;" line, I was not even aware you could enter it like that, but then there is significantly more I don't know about Nginx that the little I do. For comparison here is what I do.
location / {
index index.php index.html index.htm;
try_files $uri $uri/ @rewrites;
}
location @rewrites {
rewrite ^ /index.php last;
}
My php section looks like this for all sites. You need to make sure names used sync up here and in your fastcgi_params file
try_files $1 = 404;
include /etc/nginx/fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.+)\$;
fastcgi_param SCRIPT_FILENAME $document_root$1;
fastcgi_param PATH_INFO $2;
fastcgi_param HTTPS on;
fastcgi_pass unix:/var/run/nginx/yoursite.com-php-fpm.socket;
fastcgi_index index.php;
For expires I've moved those to my main nginx.conf file and use the map directive (need the right version of Nginx). placing it there makes it the same for all sites on your server which you may not want to do, but the map functions are very nice.
# Expires map
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
application/pdf 1M;
~font/ max;
application/vnd.ms-fontobject max;
application/font-woff max;
application/x-font-woff max;
application/font-woff2 max;
}