Here you can see my nginx site config for Movielib, looking a bit ugly but works.
If you want to get rid of the self signed cert use Lets Encrypt.

server {
        listen 80;
        listen [::]:80;
        server_name example.example.tld;
        return 301 https://$server_name$request_uri;

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name example.example.tld;

        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

# SSL Settings
        ssl on;
        ssl_certificate /etc/letsencrypt/live/example.example.tld/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.example.tld/privkey.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 1h;
        ssl_dhparam /etc/nginx/dhparam.pem;

        ssl_stapling on;
        ssl_stapling_verify on;

        location  / {
             index index.php;
             try_files $uri $uri/ =404;

    root /var/www/movielib;

    access_log /var/log/nginx/movielib.log;
    error_log /var/log/nginx/movielib.log info;

location ~ \.php$ {
                include snippets/fastcgi-php.conf;

                fastcgi_pass   unix:/run/php/php7.0-fpm.sock;
                #fastcgi_index  index.php;
                fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
                fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;

                fastcgi_buffer_size 128k;
                fastcgi_buffers 256 16k;
                fastcgi_busy_buffers_size 256k;
                fastcgi_temp_file_write_size 256k;

location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
         access_log        off;
         log_not_found     off;
         expires           10d;

