nginx doesn't (yet) support configuring TLSv1.3 ciphersuite order preference. It's hardcoded in OpenSSL in include/openssl/ssl.h, so to e.g. prioritize ChaCha20 over the AES suites, apply the following patch:
diff -urN openssl-1.1.1a-old/include/openssl/ssl.h openssl-1.1.1a/include/openssl/ssl.h
--- openssl-1.1.1a-old/include/openssl/ssl.h 2018-11-20 13:35:40.000000000 +0000
+++ openssl-1.1.1a/include/openssl/ssl.h 2018-12-26 05:32:44.915797200 +0000
@@ -173,8 +173,8 @@
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
/* This is the default set of TLSv1.3 ciphersuites */
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_CHACHA20_POLY1305_SHA256:" \
+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_256_GCM_SHA384:" \
"TLS_AES_128_GCM_SHA256"
# else
# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
Then build as normal: ./configure --with-openssl=/path/to/patched/openssl-1.1.1a etc.