Serve /debug endpoints with a different internal http server

Currently the `/debug` endpoints are served by the same server as the one serving business endpoints. If Zanzibar server is exposed directly to public, then these endpoints will be a security concern. In that sense, it's safer to serve `/debug` endpoints with a different unexposed internal sever.