Keep in mind that configuring services in a secure way, and using an up to date stable application without any vulnerable add-ons, will eliminate most attacks. Of course the operating system should be hardened and the environment chrooted, in case it isn't already.
That being said, I don't know the mentioned WAFs, but I do know that you can configure mod_security specifically for a web application, so if integer input is expected, only integer input should be allowed.
I don't really see any problems deploying a WAF / Load Balancer on the same box, even though they should be physically separate. What's more important is that they're securely configured in the virtual environment, so that e.g. direct access to the actual web server is not allowed / possible when the WAF / Load Balancer is not available.