Hi, I need to secure HTTP service in my LAN (HW IP relay controller). I have TP-Link TL-WR741ND with 4MB flash only.

I need to do reverse proxy. All request from WAN to https://OPENWRT.IP:443/ must be redirected to http://LAN.IP:80/ + I need to add basic password auth for HTTPS.

How can I do that? On "normal" Linux server I'm using apache, or nginx. But nginx is compiled without ssl support on OpenWrt. And nginx+ssl is probably over 4MB.

I cannot use stunnel. I need to use normal web browser like firefox as clients.

Dude get a device with mode flash!
4Mb is just too low for your requirements. Get TPLINK WR3600 and do your magic then.

I need only ethernet, no wifi. So I remove wifi support (kmod-ath*, wpad-mini, nl80211,...) and IPv6 (support from packages, ip6tables,...) and add nginx with openssl support.

I sucessfully generated image. But I don't tested yet - maybe tomorrow.

It would be great to have Nginx compiled with polarssl. Openssl is too big...

Getting that working on 4mb of flash might be difficult, but not impossible. Tinyproxy might work, but its reverse proxy features are not compiled on OpenWrt. I couldn't find anything in the buildroot menuconfig to enable that, but it's described somewhere in the wiki or forums. From my notes, I have this: Add "--enable-reverse" to "CONFIGURE_ARGS" in /feeds/packages/net/tinyproxy/Makefile. I didn't bother with it though, since Nginx solved all of my reverse proxy needs (I have USB and thus plenty of space on my router).

How did you fare with the Nginx SSL build? How much bigger was the firmware image than your non-SSL build?

You can do a ssh tunnel-- it is not exactly the proxy you want, but it will grant you secure remote access to a device on your LAN which has an unencrypted http interface.  This is built into the basic release build.

Open the router's ssh port 22 to outside.  Then, from somewhere on the Internet, open a terminal and log into the router by ssh using:
ssh root@<router DNS or IP> -L 8080:<LAN IP>:80

Leave this connection open, but you can minimize the terminal window.  Go to your web browser to http://localhost:8080.  This will be the page on the device on your remote LAN.

Yes, SSH tunnel will work. But user need to have SSH client (plink.exe for example) and create tunnel before using secured service.
SSL proxy do all this automatically.

Firstly if you dont have enough space in the eeprom and the device is always connected to internet then you can load the needed packages in RAM (/tmp) on every start.

Take a look to polarssl library, it's small and if you dont found a software that it make that you need (reverse tls tunnel), you can code it by yourself easily in C using polarssl.