diff --git a/docs/setup-ai-workspace-all-in-one.md b/docs/setup-ai-workspace-all-in-one.md
index cfc94a5..f5d20b3 100644
--- a/docs/setup-ai-workspace-all-in-one.md
+++ b/docs/setup-ai-workspace-all-in-one.md
@@ -62,7 +62,12 @@ ansible-playbook -i inventory.ini setup-ai-workspace-all-in-one.yml \
 
 ### 细粒度服务暴露开关 (支持针对性覆盖)
 
-1. **XWorkmate Bridge 公网访问控制**
+1. **XWorkspace Console (底层主工作区门户) 公网访问控制**
+   - **默认值：** `true` (standard 下) / `false` (strict 下)
+   - **参数：** `-e "xworkspace_console_public_access=false"`
+   - **作用：** 设为 true 时，会自动将本地 17000 端口通过 Caddy 反向代理到绑定的 `workspace.svc.plus` 域名提供公网访问。设为 false 时则销毁对应代理文件，只能进服务器内网/XRDP访问。
+
+2. **XWorkmate Bridge 公网访问控制**
    - **默认值：** `true` (standard 下) / `false` (strict 下)
    - **参数：** `-e "xworkmate_bridge_public_access=false"`
    - **作用：** 设为 false 时，会彻底删除该服务在 Caddy `/etc/caddy/conf.d` 中的 `.caddy` 文件，使其失去从外界 HTTPS 进入内部 8787 端口的路径。
diff --git a/setup-xworkspace-console.yaml b/setup-xworkspace-console.yaml
index c3bef34..713ae00 100644
--- a/setup-xworkspace-console.yaml
+++ b/setup-xworkspace-console.yaml
@@ -5,6 +5,8 @@
   gather_facts: true
   vars:
     xworkspace_console_user: ubuntu
+    xworkspace_console_public_access: "{{ true if ai_workspace_security_level | default('standard') != 'strict' else false }}"
+    xworkspace_console_domain: workspace.svc.plus
     xworkspace_console_home: /home/ubuntu
     xworkspace_console_root: /home/ubuntu/xworkspace
     xworkspace_console_portal_dir: /home/ubuntu/xworkspace/portal
@@ -943,3 +945,38 @@
               "external": true
             }
           ]
+
+    - name: Ensure Caddy fragment directory exists
+      ansible.builtin.file:
+        path: /etc/caddy/conf.d
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+
+    - name: Deploy xworkspace-console public Caddy site
+      ansible.builtin.copy:
+        dest: "/etc/caddy/conf.d/{{ xworkspace_console_domain }}.caddy"
+        owner: root
+        group: root
+        mode: "0644"
+        content: |
+          {{ xworkspace_console_domain }} {
+              reverse_proxy 127.0.0.1:{{ xworkspace_console_portal_port }}
+          }
+      when: xworkspace_console_public_access | bool
+      register: xworkspace_caddy_deploy
+
+    - name: Remove xworkspace-console public Caddy site when disabled
+      ansible.builtin.file:
+        path: "/etc/caddy/conf.d/{{ xworkspace_console_domain }}.caddy"
+        state: absent
+      when: not (xworkspace_console_public_access | bool)
+      register: xworkspace_caddy_remove
+
+    - name: Reload Caddy if xworkspace-console proxy changed
+      ansible.builtin.service:
+        name: caddy
+        state: reloaded
+      when: (xworkspace_caddy_deploy.changed or xworkspace_caddy_remove.changed) and not ansible_check_mode
+      failed_when: false