I strongly suggest that you reconsider this decision. In fact, I strongly suggest that you host the UI elements on the controller by default. (If 3MB of content is too much for the SD card, it’s arguably already too small.)
As it stands, you’re one DNS hijack plus a browser vulnerability away from being a vector for compromising your users’ systems.
And no, a mobile app is not always a viable alternative. My mother, who is the main “plant person” in our household, doesn’t have a smartphone or tablet. If I were to need remote access to the controller it would currently be done via SSH, VNC, and a browser. Given the lack of SSL/TLS support, I can’t see myself ever exposing this thing to the Internet.