Conceptional failures of your SSL It! extension
Your SSL It! plugin has some conceptional failures:
You provide Mozillas Cipher Suites to adjust the three levels of Mozilla. I'm unsure, if you always then set the additional settings like nginx ssl session caching, but however, Mozillas Suites are not the best. Better is the rating table of Qualys SSL Labs, as that's the grade finally looking for. E.g. Mozillas most secure level requires EC certs, as you don't provide a way to order or install such certs with your normal SSL certificate dialogue (if don't want to order via Let's Encrypt or Encryption Everywhere program), so it's somehow useless. Also I won't see EC as such interesting as if quant computing will come, key length of a 384 bit EC is still 384 bit meanwhile a 4096 bit RSA is still 4096 bit and will not be first possible target.
You provide OCSP setting, but I don't understand, why this setting should be done per domain. Why not enable at all for all sites or give possibility to choose?
I'm unsure, how you handle alias domains, you recognize them, but will a certificate order (e.g. LE or EE) then will issue all separate certs or provide possibility to purchase one with all entries?
HTTP to HTTPS redirection (if no cert available) still has its problems. If you have aliases, aliases will first redirect to https, so they need a cert just therefor (better to change the order of redirects) as well as you redirect from non-www to www first, if preferred domain is www, however, that's recognized as bad practice by HSTS preload list (would be fine to be linked to enter or check your site there) and could result in not been listed (so again wrong redirection order).
As you also allow to protect webmail (however, you don't see, if it's protected already as in my situation), what's about MTA-STS support?
Christian Heutger commented
Addendum: And do you also allow to set ciphers for other services like Plesk Panel here and different ciphers (because of worse support on client side) for mail server and to adjust DH param and EC DH param at cipher adjustment as otherwise it's still required to use sslmng in addition to what's provided in the plugin.