* !RC4 - RC4 is in doubt[1]. The only reason to keep it around was to mitigate the BEAST attack, which is now mitigated[2] client side, so RC4 should be dropped.
* Ensure TLS deflate is off to mitigate CRIME[4] (this is the default in most, but not all combinations of nginx/OpenSSL).
* openssl ciphers -v is great for testing what ciphers match your settings.
* Comment your nginx config! You will not remember all of this when you next look at it (or someone else does). And some of it will certainly be outdated. Security is not a static game.
You don't have to disable gzip entirely. Just on any URLs where an attacker could influence the contents of the response. If you serve all your static assets out of their own location block, feel free to enable gzip there.
I followed your advice and added comments to almost all my configurations. I will add some test tools to allow easier test of the configurations, but I think it's a lot better now.
Besides that, I assume people will use nginx 1.3.7 or newer, so a few defaults are assumed as well.
You don't have to disable gzip entirely. Just on any URLs where an attacker could influence the contents of the response. If you serve all your static assets out of their own location block, feel free to enable gzip there.