What is the risk of using http on an internal webserver?

By not using TLS you are giving up the integrity and confidentiality. Your connection can be monitored or altered and there is nothing there to guarentee the endpoint is who they say they are.

• An internal attacker can man-in-the-middle your http connection reading and altering data.
• An employee could be targeted via phishing and a DNS rebind attack could be used against them to access this resource to get documents. As they are already within your network the request would circumvent your firewall. This however requires the attacker to have knowledge of your network.

Unfortunately we live in a time where you must assume you are breached so plan your security controls around this.

HTTPS is used to protect the connection against sniffing, manipulation and against impersonating an endpoint. How much this protection is needed in your local network depends on how much you can trust your network. As always, there is no absolute security but one has to find a balance between the achievable security and the remaining risk considering the amount of resources (money, time, people) needed to increase the security.

For example if you have a local network where a not fully trusted person (or a compromised machine) could use ARP or DHCP spoofing to redirect the traffic, then use of HTTPS on the internal network could be used to protect the traffic anyway. But maybe a better investment would be to increase general security of the network in such cases. If instead all machines on the network are properly authenticated and IPSec is already used to protect communication on a lower layer than adding HTTPS on top of this is less needed. But it still can be used as a defense in depth measure, especially if the lower layer protection (IPSec) is managed by different departments or governed by different security requirements than the higher level protection (HTTPS).