[EDIT 2020] --> use the 'symfony/dotenv'
According to the how to deploy official documentation what you can do is to move 'symfony/dotenv' in your composer file from require-dev to require so it's installed also on production environement. Then you can keep using a .env.local file.
If you don't want or can't use the 'symfony/dotenv'
For Apache and on Ubuntu first you need mod_env activated
sudo a2enmod env
sudo service apache2 restart
Then put the environement variable in the .htacess or in the vhost config file. For SF4 the .htacess is in /public and here is the syntax. I don't know if order matter, I would say no, so I added them on the top of the file.
SetEnv APP_ENV prod
SetEnv APP_SECRET fjsdkfj...
SetEnv DATABASE_URL mysql://...
Now some random useful tricks :
You don't want to commit the .htaccess file. Add it to the shared part of your deployment tool. In my case (easy-deploy-bundle)
->sharedFilesAndDirs(['public/.htaccess'])
You'll need to copy the environment variables in /etc/environment so it's available by composer ... this one is a real pain in the ass, because now you duplicated your variables. So the Symfony team said env variable are betters because safer and standard. But duplicate the information is not safer at all. Maybe I'm doing it wrong (which is completly possible). If you know how to avoid this please share.
The printenv command will show you if it's correctly configured.
If you use easy-deploy-bundle for production remove the --quiet option on composer so you have a clear error message if it fail (because it doesn't find the env variable for example). Also check that --no-dev option is here, so it won't install dotenv package.
->composerInstallFlags('--prefer-dist --no-interaction --no-dev')
